Analyst's Perspective: 10 WinDBG Commands You Might Not Know (But Should)
The NT Insider, Vol 18, Issue 2, May-June 2011 | Published: 08-Jul-11| Modified: 08-Jul-11
Can you count the number of WinDBG commands you know on one hand? Been meaning to learn some commands other than!analyze –v but been too busy to crack the docs open? Well then, this article is for you! I’m going to break down ten WinDBG commands that I couldn’t live without.
System Information Commands
Sometimes as part of your analysis, you’d like a bit more detailed information about the target system that generated the crash dump. The commands in this section are going to let you find out critical details about your system that just might be the clues you need to perform your analysis.
!vm
Don’t be fooled by the name, the !vm command gives you a great quick view into the virtual and physical memory usage on a system. When I run !vm I like to use a flags value of 0x21, which will omit some process specific memory usage information and add in some extra info about the kernel address space on platforms that support it (See Figure 1).
kd> !vm 0x21
*** Virtual Memory Usage ***
Physical Memory: 261886 ( 1047544 Kb)
Page File: \??\C:\pagefile.sys
Current: 1572864 Kb Free Space: 1571132 Kb
Minimum: 1572864 Kb Maximum: 3145728 Kb
Available Pages: 211575 ( 846300 Kb)
...
Free System PTEs: 231247 ( 924988 Kb)
...
NonPagedPool Usage: 0 ( 0 Kb)
NonPagedPoolNx Usage: 2969 ( 11876 Kb)
NonPagedPool Max: 52691 ( 210764 Kb)
...
PagedPool Usage: 4904 ( 19616 Kb)
PagedPool Maximum: 51200 ( 204800 Kb)