Did you know there is live noninvasive debugging? - Brad Rutkowski's Blog - Site Home

Say you want to check something out in KD but you don't have a debugger attached, like !vm perhaps, or you want to attach to a user mode process like LSASS and dump the threads running and their current state? Well there's is solution, obviously everything doesn't work when its noninvasive, but you can still screw the server up so be careful. Also it works on XP and later, this isn't just a vista thing.

I find myself constantly using this technique to peer into processes when I don't want to break in and take down a service. Also quite helpful to use KD -KL to look at memory consumption quickly without getting a debugger hooked up.

Usermode I like -pvr which is noninvasive and nonsuspending:

C:\debuggers_public>cdb -pvr -p 3976 -y SRV**http://msdl.microsoft.com/download/symbols

*** wait with pending attach
Symbol search path is: SRV**http://msdl.microsoft.com/download/symbols
Executable search path is:
WARNING: Process 3976 is not attached as a debuggee
The process can be examined but debug events will not be received
...............................................................
(f88.ce8): Wake debugger - code 80000007 (first chance)
eax=0000003c ebx=00000002 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=77c2aec5 esp=0013f76c ebp=0013f804 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!ZwWaitForMultipleObjects+0x15:
77c2aec5 c21400 ret 14h

0:000> vertarget
Windows Vista Version 6000 UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.0.6000.16386 (vista_rtm.061101-2205)
Debug session time: Thu Apr 12 23:10:39.539 2007 (GMT-7)
System Uptime: 1 days 4:36:26.108
Process Uptime: 0 days 3:48:12.445
Kernel time: 0 days 0:00:00.234
User time: 0 days 0:00:00.203

For kernel debugging well we use kd -kl:

C:\Debuggers>kd -kl -y SRV**http://msdl.microsoft.com/download/symbols

***** WARNING: Your debugger is probably out-of-date.

Connected to Windows Server 2003 3790 x86 compatible target, ptr64 FALSE
Symbol search path is: SRV**http://msdl.microsoft.com/download/symbols
Executable search path is:
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_gdr.070304-2232
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af988
Debug session time: Thu Apr 12 23:14:37.845 2007 (GMT-7)
System Uptime: 0 days 11:28:10.734
lkd> !vm

*** Virtual Memory Usage ***
Physical Memory: 262017 ( 1048068 Kb)
Page File: \??\C:\pagefile.sys
Current: 1572864 Kb Free Space: 1484016 Kb
Minimum: 1572864 Kb Maximum: 1572864 Kb
Cannot read pte range @ 808af740
Available Pages: 105545 ( 422180 Kb)
ResAvail Pages: 195302 ( 781208 Kb)
Locked IO Pages: 135 ( 540 Kb)
Free System PTEs: 43267 ( 173068 Kb)
Free NP PTEs: 32766 ( 131064 Kb)
Free Special NP: 0 ( 0 Kb)
Modified Pages: 179 ( 716 Kb)
Modified PF Pages: 162 ( 648 Kb)
NonPagedPool Usage: 4459 ( 17836 Kb)
NonPagedPool Max: 51711 ( 206844 Kb)
PagedPool 0 Usage: 7720 ( 30880 Kb)
PagedPool 1 Usage: 1096 ( 4384 Kb)
PagedPool 2 Usage: 1104 ( 4416 Kb)
PagedPool 3 Usage: 1080 ( 4320 Kb)
PagedPool 4 Usage: 1089 ( 4356 Kb)
PagedPool Usage: 12089 ( 48356 Kb)
PagedPool Maximum: 70656 ( 282624 Kb)
Shared Commit: 4266 ( 17064 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 6783 ( 27132 Kb)
PagedPool Commit: 12095 ( 48380 Kb)
Driver Commit: 1459 ( 5836 Kb)
Committed pages: 140881 ( 563524 Kb)
Commit limit: 633232 ( 2532928 Kb)

For more information look up noninvasive debugging in the debugger chm file.

-Brad

Technorati tags: windows, debugging, vista, windows 2003, XP