Some useful debugging commands
All of these are for kernel mode, these are just commands I use often that don't troubleshoot a particular problem, but are helpful in getting a general picture of the system. If you have a specific issue you're trying to understand, drop a note and I'll see if there is a command to help you out.
Vertarget:
Lists Version information for the machine/dump you're debugging. You can also use "version" to tell you about the debugger bits.
1: kd> vertarget
Windows Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
Kernel base = 0xfffff800`0160c000 PsLoadedModuleList = 0xfffff800`017d1db0
Debug session time: Tue Apr 1 14:29:22.553 2008 (GMT-7)
System Uptime: 0 days 0:03:14.328
!sysinfo
Good utility to check the CPU revs, BIOS revs, etc
1: kd> !sysinfo machineid
Machine ID Information [From Smbios 2.3, DMIVersion 35, Size=3752]
BiosVendor = American Megatrends Inc.
BiosVersion = 080002
BiosReleaseDate = 10/01/2007
SystemManufacturer = Microsoft Corporation
SystemProductName = Virtual Machine
SystemVersion = 5.0
BaseBoardManufacturer = Microsoft Corporation
BaseBoardProduct = Virtual Machine
BaseBoardVersion = 5.0
1: kd> !sysinfo cpuinfo
[CPU Information]
~MHz = REG_DWORD 2660
Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0
Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0
Identifier = REG_SZ Intel64 Family 6 Model 15 Stepping 6
ProcessorNameString = REG_SZ Intel(R) Xeon(R) CPU 5150 @ 2.66GHz
Update Signature = REG_BINARY 0,0,0,0,0,0,0,0
Update Status = REG_DWORD 8
VendorIdentifier = REG_SZ GenuineIntel
MSR8B = REG_QWORD 0
Getting the server name from the dump:
It's quite a bit easier to do internally, but this will get it done too. Good to know you're debugging the right server. :)
1: kd> x srv!SrvComputerName
fffffa60`04024500 srv!SrvComputerName = <no type information>
1: kd> dq fffffa60`04024500
fffffa60`04024500 00000000`00180018 fffff880`04ccd8c0
fffffa60`04024510 00000000`00000000 00000000`00000000
fffffa60`04024520 00000000`00000000 00000000`00000000
fffffa60`04024530 00000000`000c000a fffff880`04a0fc60
fffffa60`04024540 fffffa60`04024540 fffffa60`04024540
fffffa60`04024550 00000000`00060001 fffffa60`04024558
fffffa60`04024560 fffffa60`04024558 00000000`ffffffff
fffffa60`04024570 00000000`00000000 00000000`00000000
1: kd> du fffff880`04ccd8c0
fffff880`04ccd8c0 "BRAD-LHDC-01?"
!running -ti
This will dump the stacks of each thread that is running on each processor
1: kd> !running -ti
System Processors f (affinity mask)
Idle Processors f
All processors idle.
Prcb Current Next
0 fffff80001780680 fffff80001785b80 ................
Child-SP RetAddr Call Site
fffff800`026bb8d0 fffffa60`00a066da nt!KeSetTimer+0x89
fffff800`026bb920 fffffa60`00a06aca NETIO!WfpStartTimerForLeftTime+0x8a
fffff800`026bb970 fffffa60`00a06585 NETIO!WfppLeastRecentlyUsedTimerRoutine+0x1aa
fffff800`026bb9c0 fffffa60`00a067ff NETIO!WfpTimerWheelTimeoutHandler+0x175
fffff800`026bba40 fffff800`016698b3 NETIO!WfpSysTimerNdisCallback+0x4f
fffff800`026bba70 fffff800`0166a238 nt!KiTimerListExpire+0x333
fffff800`026bbca0 fffff800`0166aa9f nt!KiTimerExpiration+0x1d8
fffff800`026bbd10 fffff800`0166bb72 nt!KiRetireDpcList+0x1df
fffff800`026bbd80 fffff800`018395c0 nt!KiIdleLoop+0x62
fffff800`026bbdb0 00000000`fffff800 nt!zzz_AsmCodeRange_End+0x4
1 fffffa60005f3180 fffffa60005fcd40 ................
Child-SP RetAddr Call Site
fffffa60`0171bb08 fffff800`016b03d7 nt!RtlpBreakWithStatusInstruction
fffffa60`0171bb10 fffff800`0165afef nt! ?? ::FNODOBFM::`string'+0x356a
fffffa60`0171bb50 fffffa60`026867a2 nt!KiSecondaryClockInterrupt+0x11f
fffffa60`0171bce8 fffffa60`02685685 intelppm!C1Halt+0x2
fffffa60`0171bcf0 fffff800`0167c7c8 intelppm!C1Idle+0x9
fffffa60`0171bd20 fffff800`0166bb31 nt!PoIdle+0x148
fffffa60`0171bd80 fffff800`018395c0 nt!KiIdleLoop+0x21
fffffa60`0171bdb0 00000000`fffffa60 nt!zzz_AsmCodeRange_End+0x4
!stacks
This is a great utility to check what threads are waiting on for each process. Find out more in the debuggers chm.
1: kd> !stacks 2
Proc.Thread .Thread Ticks ThreadState Blocker
Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Prototype PTEs are implicitly decoded
[fffffa8000c77950 System]
4.000008 fffffa8000c774c0 ffffe94b GATEWAIT nt!KiSwapContext+0x7f
nt!KiSwapThread+0x2fa
nt!KeWaitForGate+0x22a
nt!MmZeroPageThread+0x162
nt!Phase1Initialization+0xe
nt!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16
4.000010 fffffa8000ca0720 ffffff8c Blocked nt!KiSwapContext+0x7f
nt!KiSwapThread+0x2fa
nt!KeWaitForSingleObject+0x2da
nt!PopIrpWorkerControl+0x22
nt!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16
4.000014 fffffa8000c78bb0 fffffcb0 Blocked nt!KiSwapContext+0x7f
nt!KiSwapThread+0x2fa
nt!KeWaitForSingleObject+0x2da
nt!PopIrpWorker+0x164
nt!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16
<SNIP>
!PCR
Command will show you some useful info from the processor control block. Like the current thread, next, DPQ queues (Can run !dpcs).
1: kd> !pcr
KPCR for Processor 1 at fffffa60005f3000:
Major 1 Minor 1
NtTib.ExceptionList: fffffa60005fd280
NtTib.StackBase: fffffa60005f6cc0
NtTib.StackLimit: 000000000554f578
NtTib.SubSystemTib: fffffa60005f3000
NtTib.Version: 00000000005f3180
NtTib.UserPointer: fffffa60005f37f0
NtTib.SelfTib: 000007fffff8a000
SelfPcr: 0000000000000000
Prcb: fffffa60005f3180
Irql: 0000000000000000
IRR: 0000000000000000
IDR: 0000000000000000
InterruptMode: 0000000000000000
IDT: 0000000000000000
GDT: 0000000000000000
TSS: 0000000000000000
CurrentThread: fffffa60005fcd40
NextThread: 0000000000000000
IdleThread: fffffa60005fcd40
DpcQueue: 0xfffffa800124dc70 0xfffffa6000e7abe0 [Normal] tcpip!TcpPeriodicTimeoutHandler
1: kd>
!LMI <driver>
When I want to find out ifno about a particular driver in the dump, i use "lm n t" to get all of them, but then !lmi to drill into one. I use it quite often to see if I have the private or public symbol loaded
1: kd> !lmi srv.sys
Loaded Module Info: [srv.sys]
Module: srv
Base Address: fffffa6004007000
Image Name: srv.sys
Machine Type: 34404 (X64)
Time Stamp: 47919135 Fri Jan 18 21:57:09 2008
Size: 94000
CheckSum: 70fe5
Characteristics: 22 perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 20, 142c8, 136c8 RSDS - GUID: {D3FD3BA3-615D-437E-83B9-D339ED15DEE3}
Age: 2, Pdb: srv.pdb
CLSID 4, 142c4, 136c4 [Data not mapped]
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: PDB - Symbols loaded successfully from symbol server.
C:\Debugger_Public\sym\srv.pdb\D3FD3BA3615D437E83B9D339ED15DEE32\srv.pdb
Load Report: public symbols , not source indexed
C:\Debugger_Public\sym\srv.pdb\D3FD3BA3615D437E83B9D339ED15DEE32\srv.pdb
