Debug driver with windbg

Privacy policy. WinDbg is a kernel-mode and user-mode debugger that is included in Debugging Tools for Windows. Here we provide hands-on exercises that will help you get started using WinDbg as a user-mode debugger. After you have installed the debugging tools, locate the installation directories for bit x64 and bit x86 versions of the tools.

For example:. On the File menu, choose Open Executable. In the Open Executable dialog box, navigate to the folder that contains notepad. For File name , enter notepad. Select Open. The debugger needs symbol files to obtain information about code modules function names, variable names, and the like.

Note If you don't see any output, enter. To see symbols in the Notepad. Notepad runs until it comes to the WinMain function, and then breaks in to the debugger. In the next section, we will examine the state of the variables after the DeviceAdd code has executed.

Note that the breakpoint dialog box only works with existing breakpoints. New breakpoints must be set from the command line. You can also set breakpoints that fire when a memory location is accessed. Use the ba break on access command, with the following syntax. Note Stepping through code from the Debugger Command window.

The following are the commands that you can use to step through your code with the associated keyboard short cuts shown in parentheses. Note that if the flow of code execution does not reach the point indicated by the cursor an IF statement isn't executed , WinDbg would not break, because the code execution did not reach the indicated point. Step over F10 — This command causes code execution to proceed one statement or one instruction at a time. If a call is encountered, code execution passes over the call without entering the called routine.

Step in F11 — This command is like step-over, except that the execution of a call does go into the called routine. This is useful if you've seen enough of the routine. This lab assumes that you are stopped at the AddDevice routine using the process described earlier. To view the output show here, repeat the steps described previously, if necessary. You can find the location of a global variable address by typing? You can display the names and values of all local variables for a given frame by typing the dv command.

Note The call stack is the chain of function calls that have led to the current location of the program counter. The top function on the call stack is the current function, and the next function is the function that called the current function, and so on. The call stack shows that the kernel nt called into Plug and Play code PnP , that called driver framework code WDF that subsequently called the echo driver DeviceAdd function. In Section 9, you will display information about the process and threads running in kernel mode.

Note You can display or set process information by using the! We will set a breakpoint to examine the process that are used when a sound is played. Type the dv command to examine the locale variables associated with the EchoEvtIo routine as shown. This will cause the breakpoint to fire, and execution of the driver code on the target system will halt.

The output shows that the process is associated with the echoapp. For more information, see! In the example shown below, the process address is ffffee6a Record the process ID associated with echoapp. Enter g as required into the debugger to run the code forward until the echoapp. It will hit the breakpoint in the read and write event a number of times.

When echoapp. In the output shown below, the process with the Image value of System is different from the Echo Image value. The output above shows that a system process ffffeb65d was running, when we stopped the OS.

Now, use the! Provide your echoapp. Note The commands to view and set threads are very similar to those of processes. To view the threads that are running, type! Information similar to the following should be displayed:. Note the image name of echoapp. Note You can alternatively use! The output from this command can be lengthy. Provide the process address from your!

This example output is for the cmd. Note that the image name for this process ID is cmd. As expected, the current thread is the thread associated with echoapp. Thread command to display information about the thread associated with cmd. Provide the thread address you recorded earlier.

Provide the thread address of the waiting CMD. Call stack elements such as KiCommitThreadWait indicate that this thread is not running as is expected. Note For more information about threads and processes, see the following references:. The interrupt request level IRQL is used to manage the priority of interrupt servicing. Each processor has an IRQL setting that threads can raise or lower. Interrupts that occur at or below the processor's IRQL setting are masked and will not interfere with the current operation.

Interrupts that occur above the processor's IRQL setting take precedence over the current operation. When the target computer breaks into the debugger, the IRQL changes, but the IRQL that was effective just before the debugger break is saved and is displayed by!

Display the contents of the registers for the current thread on the current processor by using the r Registers command. For more information see r Registers. Viewing the contents of the registers can be helpful when stepping through assembly language code execution and in other scenarios. For more information about assembly language disassembly, see Annotated x86 Disassembly and Annotated x64 Disassembly. For information about contents of the register, see x86 Architecture and x64 Architecture.

To end a user-mode debugging session, return the debugger to dormant mode, and set the target application to run again, enter the qd Quit and Detach command. Be sure and use the g command to let the target computer run code, so that it can be used. For more information, see Ending a Debugging Session in WinDbg in the debugging reference documentation. Additional information is available on Windows debugging. Note that some of these books will use older versions of Windows such as Windows Vista in their examples, but the concepts discussed are applicable to most versions of Windows.

Standard Debugging Techniques. Specialized Debugging Techniques. Getting Started with Windows Debugging. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info.

Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Note This labs assumes that both PCs are running a 64 bit version of Windows on both the target and host. To locate the method that changes the volume, use the x command to list the symbols in CAdapterCommon, that contain the string volume.

Select and hold or right-click Sink Description Sample and select Properties. Select the Levels tab. Adjust the slider volume. This should cause the SetMixerVolume debug breakpoint to fire and execution of the driver code on the target system should halt. Use the dv command to display the current variables and their values. More information on variables is provided in the next section of this lab.

The following are the commands that you can use to step through your code with the associated keyboard short cuts shown in parentheses. Step over F10 — This command causes code execution to proceed one statement or one instruction at a time.

If a call is encountered, code execution passes over the call without entering the called routine. Step in F11 — This command is like step-over, except that the execution of a call does go into the called routine. This is useful if you've seen enough of the routine.

Note that if the flow of code execution does not reach the point indicated by the cursor e. This is handy if you want to retry a sequence, but it requires some care. For example, registers and variables are not set to what they would be if code execution had reached that line naturally.

Direct setting of the eip register -- You can put a value into the eip register, and as soon as you press F5 or F10, F11, etc. This is similar to setting instruction to the cursor-designated current line, except that you specify the address of an assembly instruction.

It can be easier to step through UI rather than from the command line so this method is recommended. If necessary, the following commands can be used to step through a source file at the command line:. You can set a breakpoint in code by adding the DebugBreak statement and rebuilding the project and re-installing the driver.

This breakpoint will fire each time the driver is enabled, so it would be a techniques to be used in the early development stages, not in production code. This technique is not as flexible as dynamically setting breakpoints using the breakpoint commands. Tip: You may want to keep a copy of the Sysvad driver with out the breakpoint added for further lab work. Set a break to occur each time the AddDevice method is run by adding the DebugBreak statement to the sample code.

Follow all of the steps previously described to rebuild the driver in Microsoft Visual Studio and re-install it to the target machine. Be sure to uninstall the existing driver before installing the updated driver. When the code runs and reaches the DebugBreak statement, execution will stop and a message will be displayed. It can be useful to examine variables as the code executes to confirm that the code is working as expected.

This labs examines variables as the audio driver produces sound. Use the dv command to examine the locale variables associated with the tabletaudiosample! Locate a small media file such as Windows notification sound file with a. For example you can use Ring When the media file is played, the breakpoint should fire, and execution of the driver code on the target system should halt. The source code Window should be highlighting the brace on the entrance to the NewStream function.

You can display the names and values of all local variables for a given frame by typing the dv command. To use DML to explore variables, select the underlined elements. The select action builds a dx Display NatVis Expression command that allows you to drill down on nested data structures. You can find the memory location of a global variable by typing? You can view the contents of the memory location by dumping the value of that location typing the dd command using the memory location returned by the previous command.

This interface also provides this ability to drill down on more complex data structures. Use the dv command to display the names and values of all local variables for a given frame. Note that, as expected, the values are different from the last time we ran this command, as additional code has been run that changes the local variables and some variables are now not in the current frame or their values have changed.

The call stack is the chain of function calls that have led to the current location of the program counter. The top function on the call stack is the current function, and the next function is the function that called the current function, and so on. Select the columns at the top of the window to toggle the display of additional information. You can use DML to further explore the code.

When you select the first 00 entry, the. To change the current process context, use the. The following example demonstrates how to identify a process and switch context to it. For more information see! The output shows that the process is associated with audiodg.

If you are still at the breakpoint described in the previous section of this topic, the current process should be associated with the audiodg.

This thread was supporting the playing of the media clip when the breakpoint was hit. In the example shown below, the process ID is ffffedc Record the process ID associated with audiodg.

Enter g into the debugger to run the code forward until the media clip is done playing. The output above shows that a different system process of ffffecd0ad is running. The image name shows System, not audiodg. Now use the! In the example, the process ID is ffffedc Substitute the process ID in the example with your process ID, that you recorded earlier. The commands to view and set threads are very similar to those of processes. To explore threads associated with the media player, play the media clip again.

If the breakpoint described in the previous section is still in place, you will stop in the context of audiodg. To view more information about the thread that is running, type! Information similar to the following should be displayed. The image name is rundll The interrupt request level IRQL is used to manage the priority of interrupt servicing.

Each processor has an IRQL setting that threads can raise or lower. Interrupts that occur at or below the processor's IRQL setting are masked and will not interfere with the current operation. Interrupts that occur above the processor's IRQL setting take precedence over the current operation. When the target computer breaks into the debugger, the IRQL changes, but the IRQL that was effective just before the debugger break is saved and is displayed by!

Display the contents of the registers for the current thread on the current processor by using the r Registers command. Viewing the contents of the registers can be helpful when stepping through assembly language code execution and in other scenarios. For more information see r Registers. For information about contents of the register, see x86 Architecture and x64 Architecture.

For more information about assembly language disassembly, see Annotated x86 Disassembly and Annotated x64 Disassembly. You may need to examine memory to identify an issue or to inspect variables, pointers, and so on. Note If you attempt to display an invalid address, its contents are shown as question marks? Use the Display format pull down to change how the memory is displayed. To view data associated with the volume control, set a breakpoint to fire on the PropertyHandlerAudioEngineVolumeLevel routine using the bm command.

On the target system adjust the volume in the system tray. This will cause the breakpoint to fire. Note the current value of the IVolume variable. You can display the data type and the current value for the IVolume variable in the sample code by typing the dt command and the name of the variable. Attempt to display the value at the memory location of IVolume by using the dt Display Type command. Display the value at the memory location of IVolume by using the dt Display Type command.