Windows Driver Debugging
Posted April 9, 2003
Chat Date: March 24, 2003
Please note: Portions of this transcript have been edited for clarity
Chat Participants:
- Martin Chisholm, Tester in the Active Directory team
- Adi Oltean, Developer in the Storage Services team, Windows group
- Takefumi Kakimoto, OEM Support Tools Project Manager in Japan
- Takeshi Misu Tester in Hardware and Driver Quality Group in Japan
- Larry Zhu, Developer working in the windows security team
- Saji Abraham, Developer in the COM(+)/DCOM team
- David Grant, Developer in the Solution Integration Engineering Team
- Wendy Shi, Support engineer from DDK Developer Support
- Jamie Hanrahan, Driver consultant and seminar leader
- Karan Mehra, Developer in the Drivers Storage Team
- John Bukowski, Escalation Engineer in the Critical Problem Resolution Group
- Drew Bliss, Developer in the debugger team
- Takeshi Arai, Developer in OEM support tools group
- Larry King (no relation to the talk-show host). I write the debugger documentation
- Laura Keller, Program manager, Technical & Strategic Communications
- Eric Sassaman, Program manager, Product Support Services
We know that thousands of people read these transcripts on MSDN, but we would like to know how useful they are to you. Please send us an email at ATEO@Microsoft.com and tell us how this information or redirection to other information sources helped you do your job.
Moderator: Laura (Microsoft)
Welcome to today's Q&A session on Windows Driver Debugging. Questions, comments, and suggestions are welcome during the hour.
Host: Jamie (Microsoft)
Q: But, without source of Windows XP or 2000, it is possible for kernel debugging?
A: Yes, there is a tremendous amount of debugging possible without OS source. You do need some familiarity with the OS internals.
Host: Drew (Microsoft)
Q: ba on byte/word
A: Support matches what the processor offers. x86 supports byte/word/dword.
Host: Drew (Microsoft)
Q: Debugger scripts
A: You can write debugger extensions which perform arbitrary operations.
Host: Drew (Microsoft)
Q: Debugger scripts
A: The debugger documentation has more on extensions.
Host: Drew (Microsoft)
Q: 1394 debugging
A: Yes, it does. Initial releases had some instability but we are improving the drivers.
Host: Adi (Microsoft)
Q: Debugger scripts...
A: You can also use the $< command to execute a script inside a debugger.
Host: Ilyak (Microsoft)
Q: Debugger scripts -- a) It is possible to use !list command b) It is possible to do rudimentary traversals with built-in 'z' command
Host: LZhu (Microsoft)
Q: Debugger scripts: What type of scripts would the $< command accept?
A: Any legitimate debugger commands, this is an example, name this file as command.s "* kerb cred lists !listx -x "dt -r kerberos!_KERB_CREDENTIAL" kerberos!KerbCredentialList" note "stuff after * is comments" then, $< command.s
Host: Drew (Microsoft)
Q: If I have, in driver, a virtual address to a buffer (which is fragmented in physical memory), is there a way in WinDbg to display the entire buffer with physical addressing (show all the fragments in a single display)?
A: Not with a default command. The dump commands only display contiguous memory. You could write an extension to do it.
Host: LZhu (Microsoft)
Q: Are there other methods for detecting an attached debugger than IsDebuggerPresent()?
A: use "dt nt!_EPROCESS <addr of proecess object> DebugPort"
Host: Drew (Microsoft)
Q: Are there other methods for detecting an attached debugger than IsDebuggerPresent()?
A: From user-mode or from a debugger? What are you trying to accomplish?
Host: Larry (Microsoft)
Q: Where can I get examples on writing extensions?
A: The debugger kit includes several sample extensions. When you install the kit, do a "custom install" and be sure to select all the check-boxes. You may need to install the Windows DDK as well, because the Build Utility that ships with the DDK is used to build debugger extensions.
Host: Drew (Microsoft)
Q: (Drew) User-mode, trying to detect a debugger for meager reverse-engineering prevention. Sometimes IsDebuggerPresent() is circumvented and any other means would be somewhat helpful.
A: There isn't really a mechanism that can't be interfered with. IsDebuggerPresent is about as safe as it gets.
Host: Drew (Microsoft)
Q: (Drew) Not looking for a mechanism that can't be interfered with, but, perhaps, a secondary mechanism to fallback on periodically.
A: There's a field in the PEB (BeingDebugged) that marks whether the process is being debugged, but that's what IsDebuggerPresent checks. If you want to make it difficult for debuggers you can throw a lot of exceptions and the like.
Host: Wendy (Microsoft)
Q: Is it possible to run windbg in target machine? It's too slow over serial if I have lots of output.
A: You can do local debugging on your target machine. But local kernel debugging is only supported on Windows XP and Windows Server 2003. Please check more info from Windbg help. If the speed is the only concern, you can use 1394 connection.
Host: Larry (Microsoft)
Q: Will Microsoft ever support an IDE with the DDK (vs. relying on third party vendors)?
A: We have no plans to make WinDbg into a full IDE. As Drew mentioned above, we are open to new GUI suggestions!
Host: Drew (Microsoft)
Q: Wendy, thank. But I tried once on XP, I can't dump any physical address, so I think it's not really supported on target.
A: Can you describe the problem you had more clearly? The feature is supported on XP.
Host: Jamie (Microsoft)
Q: You can use 1394 connection. I'm currently using 6.1.0009.0, is there a version that will support TCP/IP?
A: No, it takes too much code and "state" to support tcp/ip on the target side. Legacy serial ports, 1394, or (soon) USB 2.0.
Host: Drew (Microsoft)
Q: I ran windbg on target, I type "dd [uc] xxx" and windbg fails it, also I don't see debug message in windbg windows. While I have no problem if using serial windbg.
A: Yes, there are some limitations for the local kernel mode as its access to machine state is not quite as complete due to cooperation with the OS.
Host: Larry (Microsoft)
Q: .server is great for remoting. It can do secure remotes (via SSL), but I have not been able to figure out the syntax of '.server spipe <bla-bla-bla>'. What's the <bla-bla-bla> part look like?
A: This will be in the documentation for the next release of the docs. Until that release, you might want you can write to windbgfb@microsoft.com.
Host: Jamie (Microsoft)
Q: Or (soon) USB 2.0. This is great! But how will it work peer-to-peer?
A: A USB "widget" goes between the two peers. This was demo'd at WinHEC '02.
Host: John (Microsoft)
Q: So, if a explorer was hang-up, how know I the process?
A: In the kernel debugger you would use "!process 0 0" to list all of the processes. Once you find the process, use !process EPROCESS 7 to dump the process and thread information. To debug a hung process, there are various commands like !locks in user mode to dump critical section that are held, or if you have a spinning thread, you can set breakpoints on previous functions in the stack.
Host: Adi (Microsoft)
Q: How to debug source code in NTSD/KD (in a similar way as in WinDbg)?
A: The commands are ".lines" followed by "l+*". Following that, you can step directly into source code, and "ls." will show you the current source. Before that, you need to run ".srcpath" to set the path to the source.
Host: Ilyak (Microsoft)
Q: How to debug source code in NTSD/KD (in a similar way as in WinDbg
A: l+l;l+s;l+t first: Then can do lsa, ls, lsp, lsc, lsf -- read doc
Moderator: Laura (Microsoft)
If you would like to conduct a more extensive discussion on a topic than we are able to cover in this online session, please take topics of interest to the Microsoft public newsgroups. Three of the most active are . . .
Microsoft.public.development.device.drivers, Microsoft.public.windbg, and Microsoft.public.windowsxp.winlogo.
Moderator: Laura (Microsoft)
Thanks for joining us today and thanks for the questions. It's time for us to go now. Please see the schedule for upcoming Ask the Experts Online topics <https://msdn.microsoft.com/chats/>.
Thanks again and good-bye all!!
For further information on this topic please visit the following:
Newsgroups:
Microsoft.public.development.device.drivers
Windows Drivers Transcripts: Read the archive
Website: Visit the Community Home Page for Windows Platform Development
Top of page