Some useful debugging commands

Some useful debugging commands

  • Comments 2
  • Likes

All of these are for kernel mode, these are just commands I use often that don't troubleshoot a particular problem, but are helpful in getting a general picture of the system.  If you have a specific issue you're trying to understand, drop a note and I'll see if there is a command to help you out.

Vertarget:

Lists Version information for the machine/dump you're debugging.  You can also use "version" to tell you about the debugger bits.

1: kd> vertarget
Windows Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
Kernel base = 0xfffff800`0160c000 PsLoadedModuleList = 0xfffff800`017d1db0
Debug session time: Tue Apr  1 14:29:22.553 2008 (GMT-7)
System Uptime: 0 days 0:03:14.328

!sysinfo

Good utility to check the CPU revs, BIOS revs, etc

1: kd> !sysinfo machineid
Machine ID Information [From Smbios 2.3, DMIVersion 35, Size=3752]
BiosVendor = American Megatrends Inc.
BiosVersion = 080002
BiosReleaseDate = 10/01/2007
SystemManufacturer = Microsoft Corporation
SystemProductName = Virtual Machine
SystemVersion = 5.0
BaseBoardManufacturer = Microsoft Corporation
BaseBoardProduct = Virtual Machine
BaseBoardVersion = 5.0

1: kd> !sysinfo cpuinfo
[CPU Information]
~MHz = REG_DWORD 2660
Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0
Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0
Identifier = REG_SZ Intel64 Family 6 Model 15 Stepping 6
ProcessorNameString = REG_SZ Intel(R) Xeon(R) CPU            5150  @ 2.66GHz
Update Signature = REG_BINARY 0,0,0,0,0,0,0,0
Update Status = REG_DWORD 8
VendorIdentifier = REG_SZ GenuineIntel
MSR8B = REG_QWORD 0

Getting the server name from the dump:

It's quite a bit easier to do internally, but this will get it done too.  Good to know you're debugging the right server. :)

1: kd> x srv!SrvComputerName
fffffa60`04024500 srv!SrvComputerName = <no type information>
1: kd> dq fffffa60`04024500
fffffa60`04024500  00000000`00180018 fffff880`04ccd8c0
fffffa60`04024510  00000000`00000000 00000000`00000000
fffffa60`04024520  00000000`00000000 00000000`00000000
fffffa60`04024530  00000000`000c000a fffff880`04a0fc60
fffffa60`04024540  fffffa60`04024540 fffffa60`04024540
fffffa60`04024550  00000000`00060001 fffffa60`04024558
fffffa60`04024560  fffffa60`04024558 00000000`ffffffff
fffffa60`04024570  00000000`00000000 00000000`00000000
1: kd> du fffff880`04ccd8c0
fffff880`04ccd8c0  "BRAD-LHDC-01?"

!running -ti

This will dump the stacks of each thread that is running on each processor

1: kd> !running -ti

System Processors f (affinity mask)
  Idle Processors f
All processors idle.

     Prcb              Current           Next
  0  fffff80001780680  fffff80001785b80                    ................

Child-SP          RetAddr           Call Site
fffff800`026bb8d0 fffffa60`00a066da nt!KeSetTimer+0x89
fffff800`026bb920 fffffa60`00a06aca NETIO!WfpStartTimerForLeftTime+0x8a
fffff800`026bb970 fffffa60`00a06585 NETIO!WfppLeastRecentlyUsedTimerRoutine+0x1aa
fffff800`026bb9c0 fffffa60`00a067ff NETIO!WfpTimerWheelTimeoutHandler+0x175
fffff800`026bba40 fffff800`016698b3 NETIO!WfpSysTimerNdisCallback+0x4f
fffff800`026bba70 fffff800`0166a238 nt!KiTimerListExpire+0x333
fffff800`026bbca0 fffff800`0166aa9f nt!KiTimerExpiration+0x1d8
fffff800`026bbd10 fffff800`0166bb72 nt!KiRetireDpcList+0x1df
fffff800`026bbd80 fffff800`018395c0 nt!KiIdleLoop+0x62
fffff800`026bbdb0 00000000`fffff800 nt!zzz_AsmCodeRange_End+0x4

  1  fffffa60005f3180  fffffa60005fcd40                    ................

Child-SP          RetAddr           Call Site
fffffa60`0171bb08 fffff800`016b03d7 nt!RtlpBreakWithStatusInstruction
fffffa60`0171bb10 fffff800`0165afef nt! ?? ::FNODOBFM::`string'+0x356a
fffffa60`0171bb50 fffffa60`026867a2 nt!KiSecondaryClockInterrupt+0x11f
fffffa60`0171bce8 fffffa60`02685685 intelppm!C1Halt+0x2
fffffa60`0171bcf0 fffff800`0167c7c8 intelppm!C1Idle+0x9
fffffa60`0171bd20 fffff800`0166bb31 nt!PoIdle+0x148
fffffa60`0171bd80 fffff800`018395c0 nt!KiIdleLoop+0x21
fffffa60`0171bdb0 00000000`fffffa60 nt!zzz_AsmCodeRange_End+0x4

!stacks

This is a great utility to check what threads are waiting on for each process.  Find out more in the debuggers chm.

1: kd> !stacks 2
Proc.Thread  .Thread  Ticks   ThreadState Blocker

Max cache size is       : 1048576 bytes (0x400 KB)
Total memory in cache   : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
    counts: 0 cached/0 uncached, 0.00% cached
    bytes : 0 cached/0 uncached, 0.00% cached
** Prototype PTEs are implicitly decoded
                            [fffffa8000c77950 System]
   4.000008  fffffa8000c774c0 ffffe94b GATEWAIT   nt!KiSwapContext+0x7f
                                        nt!KiSwapThread+0x2fa
                                        nt!KeWaitForGate+0x22a
                                        nt!MmZeroPageThread+0x162
                                        nt!Phase1Initialization+0xe
                                        nt!PspSystemThreadStartup+0x57
                                        nt!KiStartSystemThread+0x16
   4.000010  fffffa8000ca0720 ffffff8c Blocked    nt!KiSwapContext+0x7f
                                        nt!KiSwapThread+0x2fa
                                        nt!KeWaitForSingleObject+0x2da
                                        nt!PopIrpWorkerControl+0x22
                                        nt!PspSystemThreadStartup+0x57
                                        nt!KiStartSystemThread+0x16
   4.000014  fffffa8000c78bb0 fffffcb0 Blocked    nt!KiSwapContext+0x7f
                                        nt!KiSwapThread+0x2fa
                                        nt!KeWaitForSingleObject+0x2da
                                        nt!PopIrpWorker+0x164
                                        nt!PspSystemThreadStartup+0x57
                                        nt!KiStartSystemThread+0x16

<SNIP>

!PCR

Command will show you some useful info from the processor control block.  Like the current thread, next, DPQ queues (Can run !dpcs).

1: kd> !pcr
KPCR for Processor 1 at fffffa60005f3000:
    Major 1 Minor 1
        NtTib.ExceptionList: fffffa60005fd280
            NtTib.StackBase: fffffa60005f6cc0
           NtTib.StackLimit: 000000000554f578
         NtTib.SubSystemTib: fffffa60005f3000
              NtTib.Version: 00000000005f3180
          NtTib.UserPointer: fffffa60005f37f0
              NtTib.SelfTib: 000007fffff8a000

                    SelfPcr: 0000000000000000
                       Prcb: fffffa60005f3180
                       Irql: 0000000000000000
                        IRR: 0000000000000000
                        IDR: 0000000000000000
              InterruptMode: 0000000000000000
                        IDT: 0000000000000000
                        GDT: 0000000000000000
                        TSS: 0000000000000000

              CurrentThread: fffffa60005fcd40
                 NextThread: 0000000000000000
                 IdleThread: fffffa60005fcd40

                  DpcQueue:  0xfffffa800124dc70 0xfffffa6000e7abe0 [Normal] tcpip!TcpPeriodicTimeoutHandler

1: kd>

!LMI <driver>

When I want to find out ifno about a particular driver in the dump, i use "lm n t" to get all of them, but then !lmi to drill into one.  I use it quite often to see if I have the private or public symbol loaded

1: kd> !lmi srv.sys
Loaded Module Info: [srv.sys]
         Module: srv
   Base Address: fffffa6004007000
     Image Name: srv.sys
   Machine Type: 34404 (X64)
     Time Stamp: 47919135 Fri Jan 18 21:57:09 2008
           Size: 94000
       CheckSum: 70fe5
Characteristics: 22  perf
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    20, 142c8,   136c8 RSDS - GUID: {D3FD3BA3-615D-437E-83B9-D339ED15DEE3}
               Age: 2, Pdb: srv.pdb
                CLSID     4, 142c4,   136c4 [Data not mapped]
     Image Type: MEMORY   - Image read successfully from loaded memory.
    Symbol Type: PDB      - Symbols loaded successfully from symbol server.
                 C:\Debugger_Public\sym\srv.pdb\D3FD3BA3615D437E83B9D339ED15DEE32\srv.pdb
    Load Report: public symbols , not source indexed
                 C:\Debugger_Public\sym\srv.pdb\D3FD3BA3615D437E83B9D339ED15DEE32\srv.pdb

Comments
  • Hi Brad, this is good stuff.

    I'm looking for some commands on determining the status of IPIs on an x64 system.

    Q: Do you know of such commands?

    Example: on x86 I can use the !ipi command but not on x64.

    Thanks!

  • Your nice technique for getting the server name reduces to

    .printf "%msu\n", srv!SrvComputerName

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment