The following is a list of Windbg commands useful during a debugging session:
d{b|w|d|q|s|...} <address> - display
memory in a given range (byte, word, dword, quad, string,
etc.), ex.:
kd> dq ffffe60003fcd540 L1
ffffe600`03fcd540 00000000`00b60003e{b|w|d|q|...} <address> <new value> -
edit/enter memory, ex.:
kd> eb 0xffffe60003fcdc0a 62dt <data type> - display type,
ex.:
kd> dt nt!_LIST_ENTRY
+0x000 Flink : Ptr64 _LIST_ENTRY
+0x008 Blink : Ptr64 _LIST_ENTRYu <address> - unassemble,
ex.:
kd> u nt!KeInsertQueueApc
nt!KeInsertQueueApc:
fffff800`0c53a220 48895c2410 mov qword ptr [rsp+10h],rbx
fffff800`0c53a225 44894c2420 mov dword ptr [rsp+20h],r9d
fffff800`0c53a22a 55 push rbp
fffff800`0c53a22b 56 push rsi
fffff800`0c53a22c 57 push rdi
fffff800`0c53a22d 4154 push r12
fffff800`0c53a22f 4155 push r13
fffff800`0c53a231 4156 push r14uf <address> - unassemble
function, ex.:
kd> uf nt!MiGetPteAddress
nt!MiGetPteAddress:
fffff800`0c4c6904 48c1e909 shr rcx,9
fffff800`0c4c6908 48b8f8ffffff7f000000 mov rax,7FFFFFFFF8h
fffff800`0c4c6912 4823c8 and rcx,rax
fffff800`0c4c6915 48b80000000000f7ffff mov rax,0FFFFF70000000000h
fffff800`0c4c691f 4803c1 add rax,rcx
fffff800`0c4c6922 c3 retlm - display loaded modules, ex.:
lkd> lm
start end module name
00007ff7`f9dc0000 00007ff7`f9e64000 windbg (deferred)
00007ffc`0d8d0000 00007ffc`0dadf000 kdexts (deferred)
00007ffc`0dae0000 00007ffc`0db15000 kext (deferred)
00007ffc`0db20000 00007ffc`0dbde000 exts (deferred)
00007ffc`0dda0000 00007ffc`0e273000 ext (deferred)
[...]lmDvm <module> - get details about a
module, ex.:
kd> lmDvm nt
Browse full module list
start end module name
fffff800`0c40c000 fffff800`0ce78000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\F5A2D6FD89C72E8EBA6E987298F885E21\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Timestamp: Tue Jun 13 13:14:50 1995 (2FDD813A)
CheckSum: 009456B4
ImageSize: 00A6C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4lm a <address> - get module name for
address, ex.:
kd> lm a fffff8000c40d100
Browse full module list
start end module name
fffff800`0c40c000 fffff800`0ce78000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\F5A2D6FD89C72E8EBA6E987298F885E21\ntkrnlmp.pdbx <module!pattern> - examine
symbols, ex.:
kd> x /v nt!Psp*cr*proc*
prv func fffff800`0cb3f610 f1 nt!PspSetCreateProcessNotifyRoutine (void)
prv func fffff800`0c9dcecc ea nt!PspCreateUserProcessEcp (void)
prv func fffff800`0cb70250 46 nt!PspCreateProcess$filt$0 (void)
prv func fffff800`0ca08d88 127b nt!PspBuildCreateProcessContext (void)
prv func fffff800`0ca0a00c 182 nt!PspDeleteCreateProcessContext (void)
prv func fffff800`0cb54c3c 34e nt!PspCreateProcess (void)
pub func fffff800`0cc963d8 0 nt!PspCreatePartitionSystemProcess (<no parameter info>)
pub func fffff800`0cc92070 0 nt!PspRecordCrashedProcessIntoBlackbox (<no parameter info>)
pub func fffff800`0cc95290 0 nt!PspCreatePicoProcess (<no parameter info>)
pub func fffff800`0ca69158 0 nt!PspValidateCreateProcessProtection (<no parameter info>)
[...]ln <address> - display nearest
symbol, ex.:
kd> ln fffff800`0ccc8800
Browse module
Set bu breakpoint
(fffff800`0ccc8630) nt!EtwpProcessorRundown+0x1d0 | (fffff800`0ccc8890) nt!EtwpPsProvCaptureState
!process <pid> <verbosity> - display
process information, ex.:
kd> !process 4 0
Searching for Process with Cid == 4
PROCESS ffffe60ffac6a040
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001aa000 ObjectTable: ffffc106f4403e80 HandleCount: 2645.
Image: System
kd> !process 0 0 notepad.exe
PROCESS ffffe60003fcd540
SessionId: 1 Cid: 14f0 Peb: 3a82114000 ParentCid: 142c
DirBase: bb208000 ObjectTable: ffffc106fb9b6ac0 HandleCount: 242.
Image: notepad.exe!pte <address> - display page table
info, ex.:
kd> !pte ffffe60003fcd540
VA ffffe60003fcd540
PXE at FFFFF77BBDDEEE60 PPE at FFFFF77BBDDCC000 PDE at FFFFF77BB98000F8 PTE at FFFFF7730001FE68
contains 0A00000003933863 contains 0A0000001F254863 contains 0A0000009766E863 contains 8A0000009D448863
pfn 3933 ---DA--KWEV pfn 1f254 ---DA--KWEV pfn 9766e ---DA--KWEV pfn 9d448 ---DA--KW-V!vtop <DirBase> <address> -
virtual-to-physical translation, ex.:
kd> !vtop 0 ffffe60003fcd540
Amd64VtoP: Virt ffffe600`03fcd540, pagedir 97874000
Amd64VtoP: PML4E 97874e60
Amd64VtoP: PDPE 3933000
Amd64VtoP: PDE 1f2540f8
Amd64VtoP: PTE 9766ee68
Amd64VtoP: Mapped phys 9d448540
Virtual address ffffe60003fcd540 translates to physical address 9d448540.!d{b|w|d|q|...} <physical address> -
display physical memory, ex.:
kd> !dq 9d448540 L4
#9d448540 00000000`00b60003 ffffe600`03fcd548
#9d448550 ffffe600`03fcd548 ffffe600`03fcd558.hh <command> - get help,
ex.:
kd> .hh dt.reload - reload/download symbols,
ex.:
kd> .reload
Connected to Windows 10 17763 x64 target at (Mon Sep 23 12:02:02.337 2024 (UTC + 1:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
..................................
Loading User Symbols
................................................................
.......................................
Loading unloaded module list
.......