Unusual strings in Kernel debugging

[Bagher]

Hi


Yesterday I decided debug my windows. I connected my laptop(debugee) to a PC(debugger) with a Lan cable and used from Kdnet.exe to debug over network card. My Windows is fresh. But when I started my laptop and ran the windbg on debugger system(PC), I saw an unusual strings in windbg:

"the target has requested that the debugger execute a command"

I installed a new fresh windows 10 and try again. But I see this message again.

Next time I delete my EFI boot partition and install a fresh Windows10 and I see it again.

Is this behavior normal or no?

I have a Lenovo y510 with a Windows10 UEFI .

Also I attached a screenshot from my PC monitor

 

[x BlueRobot]

Looks normal to me, seems like the target machine has encountered an error, according to the documentation, the ACPI will attempt to break in with a debugger if it encounters a fatal error.

 

[zbook]

How frequent are the BSOD after the clean install?
Were the BSOD before or after driver installation or both?
Had you ran the Lenovo hardware diagnostics? > post results into the thread

See posting instructions: Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 + Vista | Sysnative Forums

 

[Bagher]

Looks normal to me, seems like the target machine has encountered an error, according to the documentation, the ACPI will attempt to break in with a debugger if it encounters a fatal error.

Thank you.
But I thought maybe it is for a rootkit. A rootkit that uses from anti-debugging technique. Because I used to see this message when I was debugging an Anti-Cheat driver of a game.

 

[Bagher]

How frequent are the BSOD after the clean install?
Were the BSOD before or after driver installation or both?
Had you ran the Lenovo hardware diagnostics? > post results into the thread

See posting instructions: Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 + Vista | Sysnative Forums

Thank you,

I will do. But my problem isn't BSOD. My problem is in kernel debugging.

 

[x BlueRobot]

But I thought maybe it is for a rootkit. A rootkit that uses from anti-debugging technique. Because I used to see this message when I was debugging an Anti-Cheat driver of a game.

Most software will employ anti-debugging techniques for obvious reasons. Have you checked what the error message is for? The !almi extension is typically used for debugging the ACPI.

 

[x BlueRobot]

@zbook Please ensure that you read the OP's initial post properly, it's clear that they're setting up a live debugging session with a remote computer.

 

[Bagher]

Most software will employ anti-debugging techniques for obvious reasons. Have you checked what the error message is for? The !almi extension is typically used for debugging the ACPI.

The problem is that I don't know how to find out which driver generates this error. This error is shown when debugging process starts.
I installed a fresh Windows because I thought this error is for a malicious driver or a rootkit or a bootkit. But nothing changed.
Also I installed "Lenovo hardware diagnostic", but it says all hardwares are OK.
Perhaps you are right. Maybe this is for ACPI.

 

[x BlueRobot]

In WinDbg, you can click the DML link (the blue text) and it will run the command for you. Could you please post the output?

 

[Bagher]

I did it but nothing happened. Seems the blue link is nothing.

In WinDbg, you can click the DML link (the blue text) and it will run the command for you. Could you please post the output?

 

[x BlueRobot]

Try this:

!amli err 0xee

 

[Bagher]

I ran thid command. I think the "err" command is an undocumented command or doesn't exists for amli. I attached the result.
I also read about amli command in the Intel documents and didn't see the err command

Try this:

!amli err 0xee

 

[x BlueRobot]

It's undocumented but it does exist otherwise WinDbg wouldn't recommend it, have you tried enter the command in the blue text manually? I'm wondering if the DML is broken for that particular command hence why it doesn't work when you click it.