Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Debugging user process in kernel mode debugging

Don_Burn_1Don_Burn_1 Member Posts: 4,311
I've debugged user processes with windbg in kernel mode by putting a hard coded breakpoint in the program and when it is hit, reloading symbols and stepping into the program. Some folks I am working with are having problems getting this to work, and I remember there was a discussion of an alternate way to do this. Can someone remind me of the commands to get there?

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Would that be kdbgctrl.exe -eu?

    Instead of using int3, I usually use .process /i [EPROCESS], followed by .reload and bp. It doesn't work 100% of the time. IIRC there was a nice OSR article some time ago that explained some of the limitations.

    Regards,
    Gary Kratkin


    On Feb 10, 2011, at 1:24 PM, xxxxx@acm.org wrote:

    > I've debugged user processes with windbg in kernel mode by putting a hard coded breakpoint in the program and when it is hit, reloading symbols and stepping into the program. Some folks I am working with are having problems getting this to work, and I remember there was a discussion of an alternate way to do this. Can someone remind me of the commands to get there?
    >
    > Don Burn (MVP, Windows DKD)
    > Windows Filesystem and Driver Consulting
    > Website: http://www.windrvr.com
    > Blog: http://msmvps.com/blogs/WinDrvr
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  • Don_Burn_1Don_Burn_1 Member Posts: 4,311
    Actually I believe there is a way to do this from entirely inside of Windbg. .process is not it.

    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr
  • raj_rraj_r Member - All Emails Posts: 977
    !bpid Processid ?



    On Thu, Feb 10, 2011 at 10:32 PM, wrote:

    > Actually I believe there is a way to do this from entirely inside of
    > Windbg. .process is not it.
    >
    > Don Burn (MVP, Windows DKD)
    > Windows Filesystem and Driver Consulting
    > Website: http://www.windrvr.com
    > Blog: http://msmvps.com/blogs/WinDrvr
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >



    --
    thanks and regards

    raj_r
  • Jeff_GlassJeff_Glass Member Posts: 96
    Use a CPU hardware breakpoint with "ba" ?

    On Thu, Feb 10, 2011 at 8:24 AM, wrote:

    > I've debugged user processes with windbg in kernel mode by putting a hard
    > coded breakpoint in the program and when it is hit, reloading symbols and
    > stepping into the program. Some folks I am working with are having
    > problems getting this to work, and I remember there was a discussion of an
    > alternate way to do this. Can someone remind me of the commands to get
    > there?
    >
    > Don Burn (MVP, Windows DKD)
    > Windows Filesystem and Driver Consulting
    > Website: http://www.windrvr.com
    > Blog: http://msmvps.com/blogs/WinDrvr
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • raj_rraj_r Member - All Emails Posts: 977
    kd> g
    Break instruction exception - code 80000003 (first chance)
    *******************************************************************************
    *
    *
    * You are seeing this message because you pressed
    either *
    * CTRL+C (if you run kd.exe)
    or, *
    * CTRL+BREAK (if you run
    WinDBG), *
    * on your debugger machine's
    keyboard. *
    *
    *
    * THIS IS NOT A BUG OR A SYSTEM
    CRASH *
    *
    *
    * If you did not intend to break into the debugger, press the "g" key,
    then *
    * press the "Enter" key now. This message might immediately reappear. If
    it *
    * does, press "g" and "Enter"
    again. *
    *
    *
    *******************************************************************************
    nt!RtlpBreakWithStatusInstruction:
    804e3592 cc int 3
    kd> !bpid -a 0174
    Finding winlogon.exe (0)...
    Waiting for winlogon.exe to break. This can take a couple of minutes...
    Break instruction exception - code 80000003 (first chance)
    Stepping to g_AttachProcessId check...
    Break into process 174 set. The next break should be in the desired
    process.

    Microsoft (R) Windows User-Mode Debugger Version 5.1.2600.0
    Copyright (c) Microsoft Corporation. All rights reserved.

    *** wait with pending attach
    Loaded dbghelp extension DLL
    The call to LoadLibrary(ext) failed with error 2.
    Please check your debugger configuration and/or network access
    Loaded exts extension DLL
    The call to LoadLibrary(uext) failed with error 2.
    Please check your debugger configuration and/or network access
    Loaded ntsdexts extension DLL
    Symbol search path is: *** Invalid *** : Verify _NT_SYMBOL_PATH setting
    Executable search path is:
    ModLoad: 01000000 01014000 C:\WINDOWS\system32\notepad.exe
    ModLoad: 7c900000 7c9af000 C:\WINDOWS\system32\ntdll.dll
    ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
    ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll
    ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
    ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll
    ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
    ModLoad: 773d0000 774d3000
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll
    ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
    ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
    ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
    ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
    ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll
    ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV
    ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll
    ModLoad: 6f880000 6fa4a000 C:\WINDOWS\AppPatch\AcGenral.DLL
    ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll
    ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll
    ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll
    ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
    ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
    ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll
    ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\UxTheme.dll
    Break instruction exception - code 80000003 (first chance)
    eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004
    edi=00000005
    eip=7c90120e esp=003bffcc ebp=003bfff4 iopl=0 nv up ei pl zr na po
    nc
    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
    efl=00000246
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for
    C:\WINDOWS\system32\ntdll.dll -
    ntdll!DbgBreakPoint:
    7c90120e cc int 3
    0:001> ~*k
    ~*k

    0 id: 174.178 Suspend: 1 Teb 7ffdd000 Unfrozen
    *** ERROR: Module load completed but symbols could not be loaded for
    C:\WINDOWS\system32\notepad.exe
    ChildEBP RetAddr
    WARNING: Stack unwind information not available. Following frames may be
    wrong.
    0007fed8 01002a1b ntdll!KiFastSystemCallRet
    0007ff1c 01007511 notepad+0x2a1b
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for
    C:\WINDOWS\system32\kernel32.dll -
    0007ffc0 7c817067 notepad+0x7511
    0007fff0 00000000 kernel32!RegisterWaitForInputIdle+0x49

    . 1 id: 174.354 Suspend: 1 Teb 7ffdc000 Unfrozen
    ChildEBP RetAddr
    WARNING: Stack unwind information not available. Following frames may be
    wrong.
    003bfff4 00000000 ntdll!DbgBreakPoint
    0:001>


    On Thu, Feb 10, 2011 at 10:39 PM, raj_r wrote:

    > !bpid Processid ?
    >
    >
    >
    >
    > On Thu, Feb 10, 2011 at 10:32 PM, wrote:
    >
    >> Actually I believe there is a way to do this from entirely inside of
    >> Windbg. .process is not it.
    >>
    >> Don Burn (MVP, Windows DKD)
    >> Windows Filesystem and Driver Consulting
    >> Website: http://www.windrvr.com
    >> Blog: http://msmvps.com/blogs/WinDrvr
    >>
    >>
    >> ---
    >> WINDBG is sponsored by OSR
    >>
    >> For our schedule of WDF, WDM, debugging and other seminars visit:
    >> http://www.osr.com/seminars
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> http://www.osronline.com/page.cfm?name=ListServer
    >>
    >
    >
    >
    > --
    > thanks and regards
    >
    > raj_r
    >



    --
    thanks and regards

    raj_r
  • mmmm Member - All Emails Posts: 1,409
    A hardware breakpoint won't by default be active in all register contexts
    (.apply_db).



    What kind of problems are they having? Doesn't break in, symbols/stack
    makes no sense,.?



    Do they have a user mode debugger active/AeDebug (Post mortem debugger)
    registered?



    How about using the whole 'controlling the user mode debugger from the
    kernel mode debugger' thing?



    mm







    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Jeff Glass
    Sent: Thursday, February 10, 2011 12:15 PM
    To: Kernel Debugging Interest List
    Subject: Re: [windbg] Debugging user process in kernel mode debugging



    Use a CPU hardware breakpoint with "ba" ?

    On Thu, Feb 10, 2011 at 8:24 AM, wrote:

    I've debugged user processes with windbg in kernel mode by putting a hard
    coded breakpoint in the program and when it is hit, reloading symbols and
    stepping into the program. Some folks I am working with are having
    problems getting this to work, and I remember there was a discussion of an
    alternate way to do this. Can someone remind me of the commands to get
    there?

    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr


    ---
    WINDBG is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer


    --- WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and
    other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
    List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • mmmm Member - All Emails Posts: 1,409
    Whoops - never mind the part about whether they have a post-mortem debugger
    enabled. That couldn't be the problem.

    One other thought - have they been using 'sxi?'


    mm
    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@acm.org
    Sent: Thursday, February 10, 2011 11:24 AM
    To: Kernel Debugging Interest List
    Subject: [windbg] Debugging user process in kernel mode debugging

    I've debugged user processes with windbg in kernel mode by putting a hard
    coded breakpoint in the program and when it is hit, reloading symbols and
    stepping into the program. Some folks I am working with are having
    problems getting this to work, and I remember there was a discussion of an
    alternate way to do this. Can someone remind me of the commands to get
    there?

    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr


    ---
    WINDBG is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,096
    I just wrote about the use of .process here if it helps:

    http://osronline.com/article.cfm?id=576&nocache=1

    -scott

    --
    Scott Noone
    Consulting Associate and Chief System Problem Analyst
    OSR Open Systems Resources, Inc.
    http://www.osronline.com


    "Gary Kratkin" <xxxxx@berktool.com> wrote in message news:xxxxx@windbg...
    Would that be kdbgctrl.exe -eu?


    Instead of using int3, I usually use .process /i [EPROCESS], followed by
    .reload and bp. It doesn't work 100% of the time. IIRC there was a nice OSR
    article some time ago that explained some of the limitations.

    Regards,
    Gary Kratkin



    On Feb 10, 2011, at 1:24 PM, xxxxx@acm.org wrote:


    I've debugged user processes with windbg in kernel mode by putting a hard
    coded breakpoint in the program and when it is hit, reloading symbols and
    stepping into the program. Some folks I am working with are having
    problems getting this to work, and I remember there was a discussion of an
    alternate way to do this. Can someone remind me of the commands to get
    there?

    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr


    ---
    WINDBG is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer

    -scott
    OSR

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Just posted this comment on that article:
    --
    Nice article.
    .thread /r /p works in a live debug, too, shortening the switch/reload into
    one step.
    I've been able to debug the unmanaged shim to my minifilter using this
    technique, but I've not been able to get around in the managed UM code that
    drives my shim at all. Finally gave up and used Visual Studio for the
    managed code, and the kernel debugger for the unmanaged shim and kernel
    code. Really be interested to hear if someone has been more successful at
    that than I.
    Also, any concise recipe for configuring the kernel debugger so the Studio
    can handle UM exceptions?
    --
    Thanks,

    Phil

    Philip D. Barila??????? (303) 776-1264

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
    Sent: Thursday, February 10, 2011 10:43 AM
    To: Kernel Debugging Interest List
    Subject: Re:[windbg] Debugging user process in kernel mode debugging

    I just wrote about the use of .process here if it helps:

    http://osronline.com/article.cfm?id=576&nocache=1

    -scott

    --
    Scott Noone
    Consulting Associate and Chief System Problem Analyst
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space