What's new

[SUGGESTION] WinDbg Cheat Sheet - Data Structures, Commands and Extensions

x BlueRobot

Moderator, BSOD Kernel Dump Expert, Contributor
Joined
May 7, 2013
Messages
1,878
Location
Minkowski Space
I've created my WinDbg Cheat Sheet (.DOC) which is able to download from my OneDrive, and I'm going to attach the file to this post too. I've excluded LPCs, Registry and the Heap because they were too long and would take about 2/3 pages in total.

I'm planning to convert some of my blog posts into a printable .DOC format, unfortunately I haven't added the images to conserve paper and ink. However, I've edited the .DOC version slightly to compensate for this. I've got a few finished already but will probably upload them all in a single folder at a later date.

Any suggestions or corrections then please post them here.

**Update**

I've just remembered the !cpuinfo and !cpuid extensions. I've also corrected a mistake with the !system extension, it should have been !sysinfo.

Please check my latest post here, for the latest version of the cheat sheet.
 

Attachments

Last edited:

niemiro

Senior Administrator, Windows Update Expert, Developer
Staff member
Joined
Mar 2, 2012
Messages
8,386
Location
District 12
This is amazing - thanks so much for it! I don't do that much debugging anymore having moved mostly into Windows Update, and I find it difficult to always remember how each of the commands work. This looks great :)
 

x BlueRobot

Moderator, BSOD Kernel Dump Expert, Contributor
Joined
May 7, 2013
Messages
1,878
Location
Minkowski Space
This is amazing - thanks so much for it! I don't do that much debugging anymore having moved mostly into Windows Update, and I find it difficult to always remember how each of the commands work. This looks great :)
Thanks, glad you like it!
 

x BlueRobot

Moderator, BSOD Kernel Dump Expert, Contributor
Joined
May 7, 2013
Messages
1,878
Location
Minkowski Space
*Update*

Added:

  • Power Policy Extensions
  • SwishDbgExt and ProcDumpExt
  • Registry Extensions and Data Structures
  • Local Inter-Process Calls (LPCs) Extensions
  • Heap Data Structures and Extensions
  • Windows Access Tokens
  • Miscellaneous
I've added a Contents section which is hyperlinked locally to the appropriate headings within the document. It should hopefully help improve the readability since I've added around 3-4 pages.
 

Attachments

axe0

Forum Moderator, BSOD Kernel Dump Expert, Contributor
Staff member
Joined
May 21, 2015
Messages
756
Location
The Netherlands
ProcDumpExt dll is I believe no longer available for quite some time. I think the same counts for the SwishDbgExt dll.
 

x BlueRobot

Moderator, BSOD Kernel Dump Expert, Contributor
Joined
May 7, 2013
Messages
1,878
Location
Minkowski Space

philc43

BSOD Kernel Dump Analyst
Joined
Jul 7, 2017
Messages
111
Location
Cambridge, UK
I have discovered that Andrew Richards (author of ProcDumpExt) has made a new version of this extension called Prototype Debugger Extension (PDE). It is available on his publically shared OneDrive

Download the current version (ver 11.3) zip file, locate the appropriate PDE.dll file (either x64 or x86) and copy to your WinDBG directory e.g. C:\Program Files (x86)\Windows Kits\10\Debuggers\x64

Useful commands can be viewed by loading the extension and then viewing the help.

Code:
4: kd> !load PDE
=========================================================================================
 PDE v11.3 - Copyright 2017 Andrew Richards
=========================================================================================
4: kd> !help
=========================================================================================
 Help for Prototype Debugger Extension (PDE) v11.3 - Copyright 2009-2017 Andrew Richards
=========================================================================================
  !seek          - Equivalent of ~*knL and/or !deep 1

  !seek [-q] [-e symbol] [<symbol> [command]]
                 - Execute 'command' against stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                 - Specify '-q' (quiet) to omit the per-thread header

                 - Specify '-e' to exclude stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                   e.g. !seek
                        !seek ReadFile
                        !seek ReadFile kbn
                        !seek ReadFile dps @rsp @rsp+0x20
                        !seek -q ReadFile !teb
                        !seek -e SleepEx ReadFile !teb

  !seek -?        - Display the help for !seek
  !seek -help     - Display the help for !seek

=========================================================================================
  !deep          - Equivalent of ~*knL but only displays stacks that are at least
                   'depth' frames deep (default depth is 1)

  !deep [<depth> [-q] [-s symbol] [-e symbol] [command]]
                 - Execute 'command' against stacks that are at least 'depth' frames deep

                 - Specify '-q' (quiet) to omit the per-thread header

                 - Specify '-s' to only include stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                 - Specify '-e' to exclude stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                   e.g. !deep
                        !deep 25
                        !deep 25 kbn
                        !deep 25 dps @rsp @rsp+0x20

                        !deep 25 -q
                        !deep 25 -q !teb

                        !deep 25 -s ReadFile
                        !deep 25 -s ReadFile kbn
                        !deep 25 -s ReadFile dps @rsp @rsp+0x20

                        !deep 25 -e SleepEx
                        !deep 25 -e SleepEx kbn
                        !deep 25 -e SleepEx dps @rsp @rsp+0x20

  !deep -?        - Display the help for !deep
  !deep -help     - Display the help for !deep

=========================================================================================
  !busy          - Equivalent of ~*knL but only displays stacks that are at least
                   'depth' frames deep (default depth is 1) and are not waiting for:-
                    ~ ntdll!NtWaitFor*
                    ~ ntdll!ZwWaitFor*
                    ~ ntdll!NtRemoveIoCompletion
                    ~ ntdll!ZwRemoveIoCompletion
                    ~ ntdll!NtReplyWaitReceivePort
                    ~ ntdll!ZwReplyWaitReceivePortEx

  !busy [<depth> [-x] [-q] [-s symbol] [-e symbol] [command]]
                 - Execute 'command' against stacks that are at least 'depth' frames deep
                   and are not waiting (for the list above)

                 - Specify '-x' to also exclude waiters of network calls, sleeps nad messages:-
                    ~ ntdll!NtRequestWaitReplyPort
                    ~ ntdll!ZwRequestWaitReplyPort
                    ~ ntdll!NtDelayExecution
                    ~ ntdll!ZwDelayExecution
                    ~ ntdll!RtlDeactivateActivationContextUnsafeFast
                    ~ *!NtUserWaitMessage
                    ~ *!ZwUserWaitMessage
                    ~ *!ZwUserGetMessage
                    ~ *!NtUserGetMessage

                 - Specify '-q' (quiet) to omit the per-thread header

                 - Specify '-s' to only include stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                 - Specify '-e' to exclude stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                   e.g. !busy
                        !busy 25
                        !busy 25 kbn
                        !busy 25 dps @rsp @rsp+0x20

                        !busy 25 -x
                        !busy 25 -x kbn
                        !busy 25 -x dps @rsp @rsp+0x20

                        !busy 25 -q
                        !busy 25 -q !teb

                        !busy 25 -s ReadFile
                        !busy 25 -s ReadFile kbn
                        !busy 25 -s ReadFile dps @rsp @rsp+0x20

                        !busy 25 -e SleepEx
                        !busy 25 -e SleepEx kbn
                        !busy 25 -e SleepEx dps @rsp @rsp+0x20

  !busy -?        - Display the help for !busy
  !busy -help     - Display the help for !busy

=========================================================================================
  !dpx           - Equivalent of dps, dpp, dpa and dpu (combined); also class types (dt) and trap frames (kV)

  !dpx           - Displays from stack pointer to the stack base
  !dpx N         - Displays the first N values, from the stack pointer down
  !dpx <addr> N
                 - Displays the first N values, from <addr> down
  !dpx <addr> <addr>
                 - Displays from addr to addr

                 - Specify '-u' to display an unlimited number of values
                   Default limit is 6,000 addresses

                 - Specify '-a' to display all stack values
                   Default only displays stack values that point to a value

                 - Interface pointers are adjusted to align with the class's virtual function table (vftable)
                 - When there is a value adjustment, the pointer is displayed in light blue text

                 - Specify the following to limit the types; multiple options are allowed
                   -da : ANSI strings
                   -du : UNICODE strings
                   -dt : Data Types
                   -ds : Symbols
                   -df : Trap Frames (Kernel only)
                   -dse: Stowed Exceptions (WinRT apps only)


                   e.g. !dpx
                        !dpx 20
                        !dpx -a
                        !dpx -da -du 20
                        !dpx <addr> <addr> -u
                        !dpx <addr> <addr> -u -a

=========================================================================================
  !spx           - Find an expression (number) or data type (symbol)
                 - Search is pointer aligned
                 - Special handling for multiple interface classes
                 - Add -dt to perform a 'dt' on each address
                 - Very fast in User Mode
                 - Very slow in Kernel Mode

  !spx [-dt] [-s <addr>] [-e <addr>] <expression>

                   e.g. !spx combase!CComApartment
                        !spx -dt combase!CComApartment
                        !spx -s @rsp -e @rsp+1000 0x1234000+0n56

=========================================================================================
  !ssz           - Find ANSI and UNICODE strings
  !ssa           - Find ANSI strings
  !ssu           - Find UNICODE strings
                 - Search is case sensitive
                 - Displays up to 200 characters after the initial match
                 - UNICODE search is a conversion of the ANSI command line
                 - Very FAST in User Mode
                 - Very slow in Kernel Mode

  !ssz [-s <addr>] [-e <addr>] <string>
  !ssa [-s <addr>] [-e <addr>] <string>
  !ssu [-s <addr>] [-e <addr>] <string>

                   e.g. !ssz Program Files
                        !ssz Windows
                        !ssz -s @rsp -e @rsp+1000 User

=========================================================================================
  !dtr           - Equivalent of dt for each valid register
 
  !dtr [args]
  !dtr           - Lists registers that point to an address; includes class type
  !dtr <arg>     - Equivalent of dt @reg <arg> for each valid register
                     !dtr <arg> --> dt @reg <arg>

                   e.g. !dtr
                        !dtr nt!_ERESOURCE
                        !dtr nt!_ERESOURCE Flag

=========================================================================================
  !grep          - Only shows lines which contain <search>
                 - Search is case insensitive
                 - Lines are delimited by newline ('\n')
                 - !grep can be chained

  !grep <search> <command>

                   e.g. !grep days vertarget
                        !grep call u @eip
                        !grep dt !dpx
                        !grep dt !grep DUser !dpx

  !ungrep        - Same as !grep but exclusion

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  !bold          - Highlight the lines which contain <search>
                 - Search is case insensitive
                 - Lines are delimited by newline ('\n')

  !bold <search> <command>

                   e.g. !bold version vertarget
                        !bold call uf ntdll!RtlUserThreadStart

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  !head          - Display the first N bytes of a command
  !tail          - Display the last N bytes of a command

  !head <bytes> <command>
  !tail <bytes> <command>

=========================================================================================
  !ghostthreads  - Lists all threads; real or ghosts
  !gt            - Same as !ghostthreads

  !gt [command]  - If 'command' is specified, the command is run
                   for each thread, instead of the summary table.

                 - The following substitutions are made:
                   - $teb   - TEB Address
                   - $base  - Stack Base Address
                   - $limit - Stack Limit Address

                   e.g. !gt !teb $teb
                        !gt !dpx $base $limit

=========================================================================================
  !loadsos        - Runs #1
  !loadpsscor     - Runs #2
  !loadsosex      - Runs #3
  !loadspext      - Runs #4

  Define PDE_LOADCORDLL to change the default (at load)
                  0 = Disabled
                  1 = SOS (default)
                  2 = PSSCORx + SOSEX
                  3 = SOS + SOSEX
                  4 = SOS + SOSEX + SPEXT 

=========================================================================================
  !comment        - Display the dump's comment (with DML)

  !notes          - Executes commands based on the dump type - starts your case notes
  !exr            - Executes commands based on the exception code (.exr -1)

  !line           - Print a line
  !bigline        - Print three big lines

  !du <addr>      - Display a UNICODE string (up to 4Gb)
  !da <addr>      - Display a ANSI string (up to 4Gb)
  !err <code>     - Display an Error Code
  !guid <addr>    - Display a GUID

  !url <url>      - Open a url; use !ext.url instead

  !kr             - knL printed upside down so WinDiff works better

  !dtr            - Displays Data Types in Registers
  !msr            - Displays the Model-Specific Registers (MSR)

  !stowedexceptions
                  - Display the Stowed Exceptions of a Store app
  !dse            - Same as !stowedexceptions
  !bgtask         - Display the Background Tasks of a Store app

  !symsrvaudit    - Display the SRV status of each lookup made during the command
                  - Command defaults to ".reload /f"

  !diadump <module>
                  - Dump the DIA Tables and Assembly Information of the specified Module

  !dbgp           - Dump a DBGP ACPI table
  !dbg2           - Dump a DBG2 ACPI table
  !msdm           - Dump a MSDM ACPI table
  !slic           - Dump a SLIC ACPI table

  !dmem           - Display the Memory Regions of a User Mode dump
  !vmem           - Display the Virtual Regions of a User Mode process

  !tags [GUID]    - List the GUID and Size of the secondary callback chunks
  !tagshex [GUID] - List the GUID and Size of the secondary callback chunks, and dump in HEX
  !tagstext [GUID]- List the GUID and Size of the secondary callback chunks, and dump in TEXT

  !crashtask      - Enable crashdump support on the current (modern) process

  !dml            - Toggle .prefer_dml
  !dmlraw         - Print DML output as TEXT (used to review DML)

  !help           - Displays the help for all commands

=========================================================================================
  -- Defaults -- 
  DML On          - .prefer_dml 1
  UNICODE On      - .enable_unicode 1
  Ignore Pages On - .ignore_missing_pages 1
  Lines Disabled  - .lines -d

  -- Aliases -- 
  symoff          - .outmask- 0x200
  symon           - .outmask+ 0x200
  dml             - !PDE.dml
  av              - !ext.analyze -nodb -v
  avv             - !ext.analyze -nodb -v6
  ax              - !ext.analyze -nodb -xml
  axv             - !ext.analyze -nodb -xml -xcs -xmi
  axs             - !ext.analyze -nodb -xsd
  show            - !ext.analyze -show
  sn              - !sym noisy
  sq              - !sym quiet
  rf              - .reload /f
  ru              - .reload /u

=========================================================================================
 
Top