1. #1
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,749

    WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    I've created my WinDbg Cheat Sheet (.DOC) which is able to download from my OneDrive, and I'm going to attach the file to this post too. I've excluded LPCs, Registry and the Heap because they were too long and would take about 2/3 pages in total.

    I'm planning to convert some of my blog posts into a printable .DOC format, unfortunately I haven't added the images to conserve paper and ink. However, I've edited the .DOC version slightly to compensate for this. I've got a few finished already but will probably upload them all in a single folder at a later date.

    Any suggestions or corrections then please post them here.

    **Update**

    I've just remembered the !cpuinfo and !cpuid extensions. I've also corrected a mistake with the !system extension, it should have been !sysinfo.

    Please check my latest post here, for the latest version of the cheat sheet.
    Attached Files Attached Files
    Last edited by x BlueRobot; 07-03-2014 at 07:15 PM.
    satrow, niemiro, zigzag3143 and 4 others say thanks for this.
    Machines Can Think

    Oxygen, Nature's paradox.


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,787

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    This is amazing - thanks so much for it! I don't do that much debugging anymore having moved mostly into Windows Update, and I find it difficult to always remember how each of the commands work. This looks great :)

  3. #3
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,749

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    Quote Originally Posted by niemiro View Post
    This is amazing - thanks so much for it! I don't do that much debugging anymore having moved mostly into Windows Update, and I find it difficult to always remember how each of the commands work. This looks great :)
    Thanks, glad you like it!
    Machines Can Think

    Oxygen, Nature's paradox.

  4. #4

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    Great reference, Harry.

    Thanks!
    x BlueRobot says thanks for this.

  5. #5

    Join Date
    Feb 2012
    Posts
    2,085
    Blog Entries
    7

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    Nice work! Thanks!
    x BlueRobot says thanks for this.

  6. #6
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,749

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    **WinDbg Cheat Sheet Latest Version**

    The new version is also on my OneDrive. The URL in is my blog post.
    Attached Files Attached Files
    blueelvis says thanks for this.
    Machines Can Think

    Oxygen, Nature's paradox.

  7. #7
    Forum Moderator, BSOD
    BSOD Kernel Dump Expert
    Contributor
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Age
    22
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    Great work mate!

    I have formatted the whole thing and re uploaded again. Also, added the Author and specified your profile over Sysnative. Here it is (I hope you don't mind :) ).

    https://drive.google.com/file/d/0Bxv...it?usp=sharing
    x BlueRobot says thanks for this.
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  8. #8
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,749

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    *Update*

    Added:

    • Power Policy Extensions
    • SwishDbgExt and ProcDumpExt
    • Registry Extensions and Data Structures
    • Local Inter-Process Calls (LPCs) Extensions
    • Heap Data Structures and Extensions
    • Windows Access Tokens
    • Miscellaneous


    I've added a Contents section which is hyperlinked locally to the appropriate headings within the document. It should hopefully help improve the readability since I've added around 3-4 pages.
    Attached Files Attached Files
    philc43, axe0, Gator and 3 others say thanks for this.
    Machines Can Think

    Oxygen, Nature's paradox.

  9. #9

    Join Date
    Jul 2017
    Posts
    40

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    Any idea if SwishDbgExt and ProcDumpExt dll files are still available anywhere for download?

  10. #10
    Sysnative Staff
    BSOD Kernel Dump Analyst
    Contributor

    Join Date
    May 2015
    Location
    The Netherlands
    Age
    21
    Posts
    360
    • specs System Specs
      • Manufacturer:
        Custom build
      • Motherboard:
        Gigabyte B150-HD3P-CF
      • CPU:
        Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz
      • Memory:
        16GB DDR4 Crucial Ballistix Sport LT BLS8G4D240F
      • Graphics:
        Intel(R) HD Graphics 530
      • Sound Card:
        (1) Intel(R) Display Audio (2) Realtek HD Audio
      • Hard Drives:
        Crucial MX200 500GB
      • Power Supply:
        Corsair RM550x
      • Case:
        Fractal Design Define S
      • Cooling:
        Cooler Master TX3 i
      • Display:
        1920 x 1080 @ 60 Hz
      • Operating System:
        Windows 10 Pro

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    ProcDumpExt dll is I believe no longer available for quite some time. I think the same counts for the SwishDbgExt dll.

  11. #11
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,749

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    ProcDumpExt isn't publicly available anymore unfortunately, however, SwishDbgExt can still be downloaded from https://github.com/comaeio/SwishDbgExt

    Fortunately, I still have a x86 version of the ProcDumpExt.dll which have added to my OneDriver Public folder - https://1drv.ms/u/s!AhMRd9NefIbhacsP4BU4QTIYlUM

    I'll look at reviewing and the updating this document too.
    philc43, jcgriff2 and axe0 say thanks for this.
    Machines Can Think

    Oxygen, Nature's paradox.

  12. #12

    Join Date
    Jul 2017
    Posts
    40

    Re: WinDbg Cheat Sheet - Data Structures, Commands and Extensions

    I have discovered that Andrew Richards (author of ProcDumpExt) has made a new version of this extension called Prototype Debugger Extension (PDE). It is available on his publically shared OneDrive

    Download the current version (ver 11.3) zip file, locate the appropriate PDE.dll file (either x64 or x86) and copy to your WinDBG directory e.g. C:\Program Files (x86)\Windows Kits\10\Debuggers\x64

    Useful commands can be viewed by loading the extension and then viewing the help.

    Code:
    4: kd> !load PDE
    =========================================================================================
     PDE v11.3 - Copyright 2017 Andrew Richards
    =========================================================================================
    4: kd> !help
    =========================================================================================
    Help for Prototype Debugger Extension (PDE) v11.3 - Copyright 2009-2017 Andrew Richards
    =========================================================================================
      !seek          - Equivalent of ~*knL and/or !deep 1
    
      !seek [-q] [-e symbol] [<symbol> [command]]
                     - Execute 'command' against stacks that contain 'symbol'
                        (Note, don't include a displacement in the specified symbol)
    
                     - Specify '-q' (quiet) to omit the per-thread header
    
                     - Specify '-e' to exclude stacks that contain 'symbol'
                        (Note, don't include a displacement in the specified symbol)
    
                       e.g. !seek
                            !seek ReadFile
                            !seek ReadFile kbn
                            !seek ReadFile dps @rsp @rsp+0x20
                            !seek -q ReadFile !teb
                            !seek -e SleepEx ReadFile !teb
    
      !seek -?        - Display the help for !seek
      !seek -help     - Display the help for !seek
    
    =========================================================================================
      !deep          - Equivalent of ~*knL but only displays stacks that are at least
                       'depth' frames deep (default depth is 1)
    
      !deep [<depth> [-q] [-s symbol] [-e symbol] [command]]
                     - Execute 'command' against stacks that are at least 'depth' frames deep
    
                     - Specify '-q' (quiet) to omit the per-thread header
    
                     - Specify '-s' to only include stacks that contain 'symbol'
                        (Note, don't include a displacement in the specified symbol)
    
                     - Specify '-e' to exclude stacks that contain 'symbol'
                        (Note, don't include a displacement in the specified symbol)
    
                       e.g. !deep
                            !deep 25
                            !deep 25 kbn
                            !deep 25 dps @rsp @rsp+0x20
    
                            !deep 25 -q
                            !deep 25 -q !teb
    
                            !deep 25 -s ReadFile
                            !deep 25 -s ReadFile kbn
                            !deep 25 -s ReadFile dps @rsp @rsp+0x20
    
                            !deep 25 -e SleepEx
                            !deep 25 -e SleepEx kbn
                            !deep 25 -e SleepEx dps @rsp @rsp+0x20
    
      !deep -?        - Display the help for !deep
      !deep -help     - Display the help for !deep
    
    =========================================================================================
      !busy          - Equivalent of ~*knL but only displays stacks that are at least
                       'depth' frames deep (default depth is 1) and are not waiting for:-
                        ~ ntdll!NtWaitFor*
                        ~ ntdll!ZwWaitFor*
                        ~ ntdll!NtRemoveIoCompletion
                        ~ ntdll!ZwRemoveIoCompletion
                        ~ ntdll!NtReplyWaitReceivePort
                        ~ ntdll!ZwReplyWaitReceivePortEx
    
      !busy [<depth> [-x] [-q] [-s symbol] [-e symbol] [command]]
                     - Execute 'command' against stacks that are at least 'depth' frames deep
                       and are not waiting (for the list above)
    
                     - Specify '-x' to also exclude waiters of network calls, sleeps nad messages:-
                        ~ ntdll!NtRequestWaitReplyPort
                        ~ ntdll!ZwRequestWaitReplyPort
                        ~ ntdll!NtDelayExecution
                        ~ ntdll!ZwDelayExecution
                        ~ ntdll!RtlDeactivateActivationContextUnsafeFast
                        ~ *!NtUserWaitMessage
                        ~ *!ZwUserWaitMessage
                        ~ *!ZwUserGetMessage
                        ~ *!NtUserGetMessage
    
                     - Specify '-q' (quiet) to omit the per-thread header
    
                     - Specify '-s' to only include stacks that contain 'symbol'
                        (Note, don't include a displacement in the specified symbol)
    
                     - Specify '-e' to exclude stacks that contain 'symbol'
                        (Note, don't include a displacement in the specified symbol)
    
                       e.g. !busy
                            !busy 25
                            !busy 25 kbn
                            !busy 25 dps @rsp @rsp+0x20
    
                            !busy 25 -x
                            !busy 25 -x kbn
                            !busy 25 -x dps @rsp @rsp+0x20
    
                            !busy 25 -q
                            !busy 25 -q !teb
    
                            !busy 25 -s ReadFile
                            !busy 25 -s ReadFile kbn
                            !busy 25 -s ReadFile dps @rsp @rsp+0x20
    
                            !busy 25 -e SleepEx
                            !busy 25 -e SleepEx kbn
                            !busy 25 -e SleepEx dps @rsp @rsp+0x20
    
      !busy -?        - Display the help for !busy
      !busy -help     - Display the help for !busy
    
    =========================================================================================
      !dpx           - Equivalent of dps, dpp, dpa and dpu (combined); also class types (dt) and trap frames (kV)
    
      !dpx           - Displays from stack pointer to the stack base
      !dpx N         - Displays the first N values, from the stack pointer down
      !dpx <addr> N
                     - Displays the first N values, from <addr> down
      !dpx <addr> <addr>
                     - Displays from addr to addr
    
                     - Specify '-u' to display an unlimited number of values
                       Default limit is 6,000 addresses
    
                     - Specify '-a' to display all stack values
                       Default only displays stack values that point to a value
    
                     - Interface pointers are adjusted to align with the class's virtual function table (vftable)
                     - When there is a value adjustment, the pointer is displayed in light blue text
    
                     - Specify the following to limit the types; multiple options are allowed
                       -da : ANSI strings
                       -du : UNICODE strings
                       -dt : Data Types
                       -ds : Symbols
                       -df : Trap Frames (Kernel only)
                       -dse: Stowed Exceptions (WinRT apps only)
    
    
                       e.g. !dpx
                            !dpx 20
                            !dpx -a
                            !dpx -da -du 20
                            !dpx <addr> <addr> -u
                            !dpx <addr> <addr> -u -a
    
    =========================================================================================
      !spx           - Find an expression (number) or data type (symbol)
                     - Search is pointer aligned
                     - Special handling for multiple interface classes
                     - Add -dt to perform a 'dt' on each address
                     - Very fast in User Mode
                     - Very slow in Kernel Mode
    
      !spx [-dt] [-s <addr>] [-e <addr>] <expression>
    
                       e.g. !spx combase!CComApartment
                            !spx -dt combase!CComApartment
                            !spx -s @rsp -e @rsp+1000 0x1234000+0n56
    
    =========================================================================================
      !ssz           - Find ANSI and UNICODE strings
      !ssa           - Find ANSI strings
      !ssu           - Find UNICODE strings
                     - Search is case sensitive
                     - Displays up to 200 characters after the initial match
                     - UNICODE search is a conversion of the ANSI command line
                     - Very FAST in User Mode
                     - Very slow in Kernel Mode
    
      !ssz [-s <addr>] [-e <addr>] <string>
      !ssa [-s <addr>] [-e <addr>] <string>
      !ssu [-s <addr>] [-e <addr>] <string>
    
                       e.g. !ssz Program Files
                            !ssz Windows
                            !ssz -s @rsp -e @rsp+1000 User
    
    =========================================================================================
      !dtr           - Equivalent of dt for each valid register
    
      !dtr [args]
      !dtr           - Lists registers that point to an address; includes class type
      !dtr <arg>     - Equivalent of dt @reg <arg> for each valid register
                         !dtr <arg> --> dt @reg <arg>
    
                       e.g. !dtr
                            !dtr nt!_ERESOURCE
                            !dtr nt!_ERESOURCE Flag
    
    =========================================================================================
      !grep          - Only shows lines which contain <search>
                     - Search is case insensitive
                     - Lines are delimited by newline ('\n')
                     - !grep can be chained
    
      !grep <search> <command>
    
                       e.g. !grep days vertarget
                            !grep call u @eip
                            !grep dt !dpx
                            !grep dt !grep DUser !dpx
    
      !ungrep        - Same as !grep but exclusion
    
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
      !bold          - Highlight the lines which contain <search>
                     - Search is case insensitive
                     - Lines are delimited by newline ('\n')
    
      !bold <search> <command>
    
                       e.g. !bold version vertarget
                            !bold call uf ntdll!RtlUserThreadStart
    
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
      !head          - Display the first N bytes of a command
      !tail          - Display the last N bytes of a command
    
      !head <bytes> <command>
      !tail <bytes> <command>
    
    =========================================================================================
      !ghostthreads  - Lists all threads; real or ghosts
      !gt            - Same as !ghostthreads
    
      !gt [command]  - If 'command' is specified, the command is run
                       for each thread, instead of the summary table.
    
                     - The following substitutions are made:
                       - $teb   - TEB Address
                       - $base  - Stack Base Address
                       - $limit - Stack Limit Address
    
                       e.g. !gt !teb $teb
                            !gt !dpx $base $limit
    
    =========================================================================================
      !loadsos        - Runs #1
      !loadpsscor     - Runs #2
      !loadsosex      - Runs #3
      !loadspext      - Runs #4
    
      Define PDE_LOADCORDLL to change the default (at load)
                      0 = Disabled
                      1 = SOS (default)
                      2 = PSSCORx + SOSEX
                      3 = SOS + SOSEX
                      4 = SOS + SOSEX + SPEXT 
    
    =========================================================================================
      !comment        - Display the dump's comment (with DML)
    
      !notes          - Executes commands based on the dump type - starts your case notes
      !exr            - Executes commands based on the exception code (.exr -1)
    
      !line           - Print a line
      !bigline        - Print three big lines
    
      !du <addr>      - Display a UNICODE string (up to 4Gb)
      !da <addr>      - Display a ANSI string (up to 4Gb)
      !err <code>     - Display an Error Code
      !guid <addr>    - Display a GUID
    
      !url <url>      - Open a url; use !ext.url instead
    
      !kr             - knL printed upside down so WinDiff works better
    
      !dtr            - Displays Data Types in Registers
      !msr            - Displays the Model-Specific Registers (MSR)
    
      !stowedexceptions
                      - Display the Stowed Exceptions of a Store app
      !dse            - Same as !stowedexceptions
      !bgtask         - Display the Background Tasks of a Store app
    
      !symsrvaudit    - Display the SRV status of each lookup made during the command
                      - Command defaults to ".reload /f"
    
      !diadump <module>
                      - Dump the DIA Tables and Assembly Information of the specified Module
    
      !dbgp           - Dump a DBGP ACPI table
      !dbg2           - Dump a DBG2 ACPI table
      !msdm           - Dump a MSDM ACPI table
      !slic           - Dump a SLIC ACPI table
    
      !dmem           - Display the Memory Regions of a User Mode dump
      !vmem           - Display the Virtual Regions of a User Mode process
    
      !tags [GUID]    - List the GUID and Size of the secondary callback chunks
      !tagshex [GUID] - List the GUID and Size of the secondary callback chunks, and dump in HEX
      !tagstext [GUID]- List the GUID and Size of the secondary callback chunks, and dump in TEXT
    
      !crashtask      - Enable crashdump support on the current (modern) process
    
      !dml            - Toggle .prefer_dml
      !dmlraw         - Print DML output as TEXT (used to review DML)
    
      !help           - Displays the help for all commands
    
    =========================================================================================
      -- Defaults -- 
      DML On          - .prefer_dml 1
      UNICODE On      - .enable_unicode 1
      Ignore Pages On - .ignore_missing_pages 1
      Lines Disabled  - .lines -d
    
      -- Aliases -- 
      symoff          - .outmask- 0x200
      symon           - .outmask+ 0x200
      dml             - !PDE.dml
      av              - !ext.analyze -nodb -v
      avv             - !ext.analyze -nodb -v6
      ax              - !ext.analyze -nodb -xml
      axv             - !ext.analyze -nodb -xml -xcs -xmi
      axs             - !ext.analyze -nodb -xsd
      show            - !ext.analyze -show
      sn              - !sym noisy
      sq              - !sym quiet
      rf              - .reload /f
      ru              - .reload /u
    
    =========================================================================================
    jcgriff2 says thanks for this.

Similar Threads

  1. When should I look at Data Structures in dumps?
    By x BlueRobot in forum BSOD Kernel Dump Analysis Debugging Information
    Replies: 2
    Last Post: 09-26-2016, 05:54 AM
  2. Replies: 8
    Last Post: 06-02-2013, 03:37 PM
  3. OSR Online - Analyst's Perspective: 10 WinDBG Commands You Might Not Know (But Should
    By jcgriff2 in forum BSOD Kernel Dump Analysis Debugging Information
    Replies: 0
    Last Post: 11-16-2012, 09:36 PM

Log in

Log in