windbg Command Cheat Sheet

Updated on 5/27/2016

Here is my personal windbg command cheat sheet. It is by no means a comprehensive list. For something more comprehensive see http://windbg.info/. The commands in this cheat sheat are the commands I find myself using the most. There are some commands here that are not listed on http://windbg.info/.

Also, I recommend using the NetExt extension found at https://netext.codeplex.com/. This is a very powerful managed code extension.

Symbols

Environment Variables
Parameters Description
_NT_SOURCE_PATH srv*
_NT_SYMBOL_PATH srv*e:\symbols*https://msdl.microsoft.com/download/symbols
Where e:\symbols is the path to cache downloaded symbols locally



Symbol Commands
Parameters Description
x Examine symbols Example: x*! -- list all modules x mscorwks!*gcinprogress*
lm List modules
lmv m <module name> List verbose information
ln <addr> List nearest symbol
.reload, .reload /f <module>.dll Reload the symbols for a module, /f is the force flag
.sym noisy|quiet Display verbose symbol loading information
.sympath “” Change the symbol path

Example:
.sympath c:\MyRegularSymbols;srv*c:\cache*https://msdl.microsoft.com/download/symbols

Where c:\MyRegularSymbols has your local symbols that are not found on the symbol server. In this example, c:\cache will be the location symbols from the server are cached.



Controlling Program Flow
Parameters Description
g Go, (start execution of the process), F5
p Program step (step over routine), F10
t Trace (step into routines), F11
gu Go up (step out of a routine, Shift-F11



Source Mode Toolbar Buttons
Parameters Description
Source mode on Debug steps will be on unit of code rather than one assembly instruction
Source mode off Debug steps will be one assembly instruction



Extensions

Commands for Controlling Extensions
Parameters Description
.load netext.dll Load extension
.unload netext.dll Unload extension
.chain List loaded extensions
!netext.help Most extensions will implement a help command that can be invoked like this



Load .NET Managed Extension from Memory
Parameters Description
.NET 4.0 .loadby sos clr
.NET 2.0 .loadby sos mscorwks



Call Stacks

Native
Parameters Description
kc Function names only
kb Include first three parameters
kn Include frame numbers
kv Include frame type info, including FPO info
kd Display raw stack data (also: dds @esp)
kf Display the distance between frames
kp Gives detailed symbol information about the parameters
kL Display without source lines



Managed
Parameters Description
!clrstack Displays the managed portion of the call stack
~*e!clrstack Displays the managed call stack for all threads
!clrstack –a Display both parameters and locals
!clrstack –p Display parameters
!clrstack –l Display locals
!wclrstack NetExt enhanced version of the command



Navigating Frames
Parameters Description
.frame /r <frame num>

/r sets up register context

This is also possible to do through GUI by double-clicking the frame in the call stack window.



Threads and Locks

Parameters Description
~. Get current thread info
~Number Enter any thread number to list the thread info
~33s Change current thread to thread #, for example ~33s will change the thread to 33
~~[tid] Change current thread using TID from the Windows OS
~* List all threads
~# Thread that caused the current exception
~*k Enumerate all threads and run the k command (dump stacks)
~*e!clrstack Enumerate all threads and run the !clrstack extension command (dump managed stacks)
!threadpool Get cpu usage
!runaway See which threads are taking CPU time
More !threads
!cs
!critsec
!critlist
!syncblk
!locks
!RWLock



Thread Local Storage
Parameters Description
!tls !tls -1 !tls SlotIdx !tls [-1 | SlotIdx] TebAddr -1 = dump all slots for current thread
SlotIdx = dump only specified slot
TebAddr = specify thread; if omitted, the current thread is used



Process

Parameters Description
!peb Process execution block - this will display the process command line
!teb Thread execution block
!procinfo Process info
!tib Thread information block
| Display process path and PID



Memory / Dumping Objects

Managed
Parameters Description
!dso Display stack objects and addresses, aka !dumpstackobjects
!do <addr> Display object, aka !dumpobject
!da <addr> Display array
!dax <addr> -x "command" Display array in spext, allows for running commands on each object
!wselect See NetExt documentation
!wdo <addr> Display object using NetExt, this version has clickable object references that make inspecting objects easier. Many other features available
!wstack Dump unique stack objects using NetExt



Native
Parameters Description
dt <type> <addr> Display type. This can also be viewed in the local windows, however because the code is optimized, a lot of the time the locals window will not display the correct information. The -b flag means to recursively display all child items. Example dt -b VcrossListView @rdx -b = recursive <typename> Mem location
dc <addr> Double-word values (4 bytes) and ASCII characters. Each display line shows the address of the first word in the line and up to eight hexadecimal word values, as well as their ASCII equivalent. The default count is 32 DWORDs (128 bytes). dc <addr> l2 // display as dwords and ASCII values l2 means list 2 dwords la means list 10 dwords
da <addr> Display ascii
du <addr> Display unicode string, there is also a !du defined in mex that has cleaner output
.formats <addr> Shows memory in different formats
? Expression evaluator (ie ?10 == "16 0x0000010") ?? c++ evaluator 0x=hex, 0n=dec, 0t=octal, 0y=binary n16 -- set number base
e Edit memory
ed – enter double-word values (ex. ed 0x23478924 10)
eb – enter byte values
ea – enter ASCII string
eu – enter Unicode string
s -a 0012ff40 L20 "Hello” Search memory



Native Dump Stack Objects
Parameters Description
dpu @$csp 0000000020e20000 Unicode - where second parameter is stackbase from !teb
dpa @$csp 0000000020e20000 Ascii - where second parameter is stackbase from !teb
dps @$csp 0000000020e20000 Symbol - where second parameter is stackbase from !teb
dpp @$csp 0000000020e20000 Pointers - where second parameter is stackbase from !teb



Memory
Parameters Description
!dumpheap -stat List a summary of all objects in the heap with addresses to the method table for each object
!dumpheap –type System.String Dump objects of a certain type from the heap
Additional Heap Examples !dumpheap –thinlock
!dumpheap -mt <addr to mt> -sizestat -stat
.foreach(c { !dumpheap -mt <addr> -short } ) { du poi${c} }
!dumpheap -min 85000 -stat //large object heap
!eeheap -gc See garbage collection generation stats
ln Locate nearest module, find which module is loaded at a memory address



Dereference Pointers

Use the poi() function to dereference pointers: da poi(@rbx+0x108)



Method Tables / Method Descriptors
Parameters Description
!dumpheap -stat List a summary of all objects in the heap with addresses to the method table for each object
!dumpmt -md <addr to method table> Dump all methods of a class
!dumpmd <addr of md> Dump method descriptor

Method Name: System.Object.ToString()
Class: 7159539c
MethodTable: 719cdbd4
mdToken: 06000212
Module: 71591000
IsJitted: yes
CodeAddr: 719319c8
Transparency: Transparent
!dumpmodule -mt <addr>  List module classes and method tables
!dumpdomain List assemblies in the app domain



Garbage Collection / Finalizer
Parameters Description
!gcroot <addr> Find if an object is rooted Using -nostacks will show only objects rooted in a domain.
!gcref -objectonly <addr> Find where unrooted objects were rooted. Use -objectonly to ensure that you don’t run out of memory.
!finalizequeue List objects that have finalizers but are still rooted
x mscorwks!*gcinprogress* This will show a boolean flag saying whether a GC is happening at the moment or not
!threadpool = 81% when in GC
!eeheap -gc Garbage collection information about the heaps



Breakpoints

Finding Native Breakpoints

Use the x command (see Symbols section), or do a code review to find the name of the function.



Setting A Native Breakpoint
Parameters Description
bp assembly!function Sets breakpoint on the specified function
Ex: bp ntdll!Class::Function



Finding Managed Breakpoints
Parameters Description
!name2ee *!namespace.class.function Search all managed assemblies for the given method. The wildcard * can be replaced with the assembly name.

Example:

!name2ee *!Namespace.Class.Function


Output:

Module: 000007feec871000 (Assembly.dll)
Token: 0x0000000006004e67
MethodDesc: 000007feecc98d90
Name: Namespace.Class.Function(Boolean, Boolean, Boolean, Boolean, Boolean, Boolean, Boolean, Boolean, System.Guid, Int32 ByRef, System.Object ByRef, System.Object ByRef, Boolean)
JITTED Code Address: 000007feee4db930
-----------------------
Token: 0x0000000006004e68
MethodDesc: 000007feecc98da0
Name: Namespace.Class.Function(Boolean, Boolean, Boolean, Boolean, Boolean, Boolean, Boolean, Boolean, System.Guid, Int32 ByRef, System.Object ByRef, System.Object ByRef, Boolean, System.String, Boolean)
JITTED Code Address: 000007feee4dab50



Setting Managed Breakpoints
Method Description
!name2ee One way is to use the !name2ee function and find the address of the jitted code, then use bp <addr> to set the breakpoint.
!bpmd The second way is to use !bpmd assembly!namespace.class.function which will add a deferred breakpoint. When the code becomes jitted a breakpoint gets set. This isn't always very reliable. A more reliable way using TTT to set a breakpoint for an unjitted function would be to !tt 100 to the end of the trace and then do a !name2ee to find the address of the jitted function.
Using the method table and method descriptor from the object in the heap Dump the objects on the heap and then use the method table and method descriptor to find the address of the jitted code:

!dumpheap -type
!dumpmt -md <addr of mt>
!dumpmd <addr of md>
bp <addr of jitted function>



Frequently used Breakpoint Commands
Parameters Description
bp Set breakpoint at a given address
bu Set unresolved breakpoint
ba Break on memory access
Example:
ba w4 <addr>
bc* Clear all breakpoints
bl List breakpoints
bd# Disable breakpoint
be# Enable breakpoint



Conditional Breakpoints
Parameters Description
Break at location if condition is true bp MyFunction+0xb “j (poi(MyVar) > 0x20)”
Break if location changes value ba w &MyVar
breaks on a write to the address of MyVar
Break at location if location == value bp MyMod!myFunction “j MyMod!g_myGlobal == 1 '.echo Hello' ; 'gc'”
Break at location after count is reached bp MyFunction+0xb 7
Execute debug statements when breakpoint is reached bp MyFunction+0xb “kb;.frame 2;dv;g”



Exceptions

Enable Exception Breakpoints
Parameters Description
sxe Enable

Common exceptions:
sxe eh
sxe av
sxe clr
sxd Disable
sxi Ignore
sxn Notify
sxr Reset defaults
sxe clr Break on .net exceptions
sxe ld mscorwks Set WinDBG to break when mscorwks is loaded
Execute command on exception sxe -c ".time -s;!pe;kc;gc" eh
sxe -c ".time -s;!pe;kc;gc" clr
sxe -c ".time -s;!pe;kc;gc" av
*These have a gui as well. (Debug -> Event Filters in the menu)

 


Get Exception Information
Parameters Description
!pe Display last exception thrown, same as !printexception
!dae Display all exceptions
~*e!printexception Run !pe on all threads
.exr -1 Print out exception record