WinDbg is Microsoft’s powerful debugger for Windows kernel and user-mode debugging, crash dump analysis, and driver development. This guide covers command-line debugging, breakpoints, extensions, and analysis workflows.
Installation and Setup
Windows 10/11
# Install via Windows Debuggers (part of WDK)
# Download from: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/
# Or use Windows Package Manager
winget install Microsoft.WinDbg
# Or download standalone from Microsoft
# Installer includes debuggers, help, and samples
Starting WinDbg
# User-mode debugging
windbg.exe -p <PID> # Attach to process
windbg.exe executable.exe # Debug executable
windbg.exe -p <PID> -g # Attach, run to next breakpoint
windbg.exe -p <PID> -G # Attach, break immediately
# Kernel debugging (requires serial/USB connection or VM)
windbg.exe -k com:port=COM1,baud=115200
windbg.exe -k net:port=50000,key=auto
# Crash dump analysis
windbg.exe -z crash_dump.dmp # Open dump file
Essential Commands
Process and Thread Control
| Command | Description |
|---|
g | Go (continue execution) |
p | Step over instruction |
t | Step into instruction |
gu | Go until return from function |
bp <addr> | Set breakpoint at address |
ba | Set hardware breakpoint |
bl | List all breakpoints |
bc * | Clear all breakpoints |
bd <#> | Disable breakpoint |
be <#> | Enable breakpoint |
.break | Break into debugger |
| Command | Description |
|---|
k | Show call stack (backtrace) |
kb | Stack with base pointers |
kn | Stack with frame numbers |
r | Show registers |
d<b/w/d/q> <addr> | Dump 1/2/4/8 bytes at address |
!address | Show address details |
!peb | Show Process Environment Block |
!teb | Show Thread Environment Block |
lm | List loaded modules |
lm m <module> | Show specific module info |
!dh <module> | Dump module headers |
Finding Code and Data
| Command | Description |
|---|
x <module>!<symbol> | Find symbol (e.g., x kernel32!CreateFileA) |
s -a <addr> <addr> "string" | Search for ASCII string |
s -u <addr> <addr> "string" | Search for UNICODE string |
s -[1]b <addr> <addr> <bytes> | Search for byte pattern |
ln <addr> | Show nearest symbol to address |
ub <addr> | Unassemble backwards from address |
u <addr> | Unassemble at address |
Analysis Commands
| Command | Description |
|---|
!analyze -v | Analyze crash dump (verbose) |
dt <type> | Dump type structure |
dt <type> <addr> | Dump structure at address |
!process 0 0 | Show all processes |
!thread | Show current thread |
!handle | Show handle table |
!locks | Show lock information |
Crash Dump Analysis
Opening and Analyzing Dumps
# Open dump file
windbg -z crash.dmp
# Get comprehensive analysis
!analyze -v
# Output includes:
# - Crash code and parameters
# - Faulting instruction
# - Stack trace
# - Module list
# - Recommended actions
Dump Types
| Type | Contains |
|---|
| Minidump | Minimal information, small size |
| Small memory dump | Kernel memory, CPU state |
| Large memory dump | Full kernel memory |
| Complete memory dump | Everything (large files) |
| Live kernel dump | Attached to running system |
Examining Memory at Crash
# Show faulting instruction context
ub @eip-10 @@(popcnt(@eip-10));ub @eip+10
# Show involved variables
dv ; Show local variables
dt <struct_name> <addr> ; Dump structure
# Trace back to root cause
k 20 ; Extended stack trace
dps @esp l 50 ; Dump stack with symbols
Breakpoints and Conditional Debugging
Basic Breakpoints
# Function breakpoint
bp kernel32!CreateFileA
bp MyModule!MyFunction+0x50
# Address breakpoint
bp 0x401000
bp @eip ; Current instruction
# List and manage
bl ; List all breakpoints
bd 1 ; Disable breakpoint 1
be 1 ; Re-enable
bc * ; Clear all
Conditional Breakpoints
# Break on condition
bp 0x401000 "j (eax==0x100) '' 'g'"
# Count hits before breaking
bp 0x401000 0x100 ; Break after 100 hits
# Complex conditions with actions
bp kernel32!CreateFileA "j (@ecx==0x12345678) '' 'g'"
Hardware Breakpoints
# Data breakpoint (4 max on x86)
ba e1 0x401000 ; Break on Execute (1 byte)
ba w4 0x401000 ; Break on Write (4 bytes)
ba r4 0x401000 ; Break on Read (4 bytes)
ba r8 0x401000 ; Break on Read (8 bytes)
Debugger Extensions
Loading Extensions
.load dbghelp.dll ; Load extension
.load -i C:\path\to\ext.dll ; Load from full path
.unload <ext> ; Unload extension
# Common extensions
.load psscor2.dll ; .NET Framework
.load winext\umdh.dll ; User Mode Dump Heap
Kernel Debugging Extensions
# Part of debugger installation
.load kext.dll ; Kernel extensions
.load sdbgext.dll ; OS-specific extensions
# Use extension commands
!process ; kernel32 processes
!drvobj ; Driver objects
!perf ; Performance info
!timer ; Timers
Scripting and Automation
Debug Scripts
# Create script file (commands.txt)
bp kernel32!CreateFileA
g
p
r
d @esp L10
# Execute script
windbg.exe -c "$$>< commands.txt" -p <PID>
windbg.exe -c "g" -G <executable>
Common Script Patterns
# Conditional output
j (eax == 0) 'echo "EAX is zero"' 'echo "EAX is not zero"'
# Loop through stack
.foreach (addr {dps @esp L10}) {
ln ${addr}
}
# Format and dump
.printf "Register: %x\n", @eax
Module and Symbol Management
Loading Symbols
# Set symbol path
.sympath C:\symbols
.sympath srv*C:\cache*https://msdl.microsoft.com/download/symbols
# Load symbols
.reload /f ; Force reload all modules
.reload <module> ; Reload specific module
!sym noisy ; Show symbol loading info
Finding Symbols and Exports
# Exported functions
x kernel32!*CreateFile*
x advapi32!*Reg*
# Function addresses
ln 0x401000 ; Nearest symbol
ln <func_name> ; Specific function address
# Module information
lm ; List all modules
lm m kernel32 ; Show module info
!dh <base> ; PE header dump
Heap Debugging
Heap Analysis
!heap ; Show heap summary
!heap -h 0 ; Show specific heap
!heap -h 0 -a ; Show all heap information
!heap -h 0 -f ; Find heap blocks
# Heap block info
!heapstat
!dh <heap_addr> -a
Memory Leak Detection
# Mark for leak detection
!heap -h 0 -m
# Find unreferenced blocks
!heap -p -a 0x<addr>
!heap -l
Common Analysis Tasks
Finding a Specific Function
# Search for function in modules
x kernel32!Create*
x advapi32!*SetValue*
# Get function address
ln kernel32!CreateFileA
p:fp CreateFileA ; Find by partial name
Stack Trace Analysis
# Full stack with local variables
kb 10 ; 10 frames with EBP
kbn 20 ; 20 frames with frame numbers
# Show symbolic information
k
dps @esp L 50 ; Dump stack with symbols
dt <struct> <addr> ; Dump structure at location
Inspecting Code
# Disassemble function
uf kernel32!CreateFileA
# Context around address
ub @eip-0x20 @@(popcnt(@eip-0x20))
u @eip L 20 ; 20 instructions forward
# Find jumps and calls
x kernel32!*CreateFile* ; Find all variants
Kernel Debugging
Kernel Specific Commands
!process 0 0 ; All processes
!process 0 1 <name> ; Find by name
!thread ; Current thread
!drvobj <addr> ; Driver object
!irp <addr> ; I/O request packet
!devobj <addr> ; Device object
Kernel Debugging Workflow
# Attach to debugged system
# Live kernel debugging via serial/USB/network
# Examine system state
!process 0 0 ; Running processes
!handle ; System handles
!timer ; Active timers
# Analyze driver issues
!drvobj <driver>
!devobj <device>
!irp <irp_ptr>
Common Debugging Workflows
Debugging a Crash
1. Open dump: windbg -z crash.dmp
2. Analyze: !analyze -v
3. Get stack: k 20
4. Find faulting instruction: ub @eip-20
5. Examine variables: dv
6. Check return address: dps @esp l 5
7. Look at module info: lm
8. Repeat for deeper insight
Debugging a Process
1. Attach: windbg -p <PID>
2. Break: Ctrl+Alt+Break (or .break)
3. Get stack: k
4. Set breakpoint: bp kernel32!CreateFileA
5. Resume: g
6. Inspect at breakpoint
7. Step through: t or p
8. Check registers: r
Memory Leak Investigation
1. Attach to running process
2. Take heap snapshot: !heap
3. Reproduce leak scenario
4. Compare heaps: !heapstat
5. Find leak source: !heap -p -a <addr>
6. Trace allocations backward
Tips and Best Practices
- Use symbol paths for better function names
- Set breakpoints on key APIs (CreateFileA, WriteFile, etc)
- Use !analyze -v for dumps first
- Keep debugger output clean with focused searches
- Document interesting findings with comments
- Use .foreach for automated analysis
- Check module list for unexpected DLLs
- Monitor stack corruption with data breakpoints
- Use extension commands for detailed analysis
Last updated: 2026-03-30
