here is what windbg help file has to offer for your questions
The most common application errors are called exceptions. These include
access violations, division-by-zero errors, numerical overflows, and many
other kinds of errors.
Applications can also cause breakpoint interrupts. These occur when Windows
is unable to run the application (for example, when a necessary module
cannot be loaded) or when a breakpoint is encountered. Breakpoints can be
inserted into the code by a debugger, or invoked through a function such as
DbgBreakPoint. In assembly language, a breakpoint interrupt is generated by
an int 3 instruction.
Windows can handle user-mode errors in a variety of ways. The following
sequence shows the precedence used for error handling:
If a user-mode debugger is currently attached to the faulting process, all
errors will cause the target to break into this debugger.
As long as the user-mode debugger is attached, no other error-handling
methods will be used ? even if the gn (Go With Exception Not Handled)
command is used.
*If no user-mode debugger is attached and the executing code has its own
exception handling routines (for example, try - except), this exception
handling routine will attempt to deal with the error.
*If no user-mode debugger is attached, and Windows has an open
kernel-debugging connection, and the error is a breakpoint interrupt,
Windows will attempt to contact the kernel debugger.
Kernel debugging connections must be opened during Windows’ boot process. If
you are using Windows Server 2003 or a later version of Windows and wish to
prevent a user-mode interrupt from breaking into the kernel debugger, you
can use the KDbgCtrl utility with the -du parameter. For details on how to
configure kernel-debugging connections and how to use KDbgCtrl, see
Configuring Software on the Target Computer.
*If Windows does attempt to contact a kernel debugger but there is no
debugger running at the other end of the connection, Windows will freeze
until kernel debugger is activated.
*
In the kernel debugger, you can use gh (Go With Exception Handled) to
disregard the error and continue running the target. You can use gn (Go With
Exception Not Handled) to bypass the kernel debugger and go on to step 4.
If the conditions in steps 1, 2, and 3 do not apply, Windows will activate a
debugging tool. Any program can be selected in advance as the tool to use in
this situation. The chosen program is referred to as the postmortem
debugger. This is also known as the just-in-time debugger or the JIT
debugger.
If the postmortem debugger is a standard user-mode debugger (such as CDB,
WinDbg, or Microsoft Visual Studio), this debugger will start up and break
into your application.
If the postmortem debugger is a tool for writing dump files (such as Dr.
Watson), a memory dump file will be created, and then the application will
be terminated.
Note If Dr. Watson is activated on Windows XP or a later version of
Windows, a message box will appear. This window gives you the option of
sending an error report to Microsoft. If you choose Don’t Send, a dump file
will created and stored on your hard disk. If you choose Send Error Report,
a dump file will be created and stored on your hard disk, and will also be
transmitted to Microsoft over the internet.
If you have not reconfigured Windows’ postmortem settings, Dr. Watson is
used as the default postmortem debugger. This setting can be changed
programmatically or through the registry; any changes take effect
immediately.
To change the postmortem debugger to WinDbg, run windbg -I. (The I must be
capitalized.) This command will display a success or failure message after
it is used. When WinDbg is the postmortem debugger, it will be activated
whenever an application crashes.
To change the postmortem debugger to CDB, run cdb -iae or cdb -iaec
KeyString… When the -iaec switch is used, KeyString specifies a string to
be added to the end of the AeDebug registry key. This command will display
no message if it succeeds, but will display a failure message if it fails.
When CDB is the postmortem debugger, it will be activated whenever an
application crashes.
To change the postmortem debugger to NTSD, run ntsd -iae or ntsd -iaec
KeyString… When the -iaec switch is used, KeyString specifies a string to
be added to the end of the AeDebug registry key. If KeyString contains
spaces, it must be enclosed in quotation marks. This command will display no
message if it succeeds, but will display a failure message if it fails. When
NTSD is the postmortem debugger, it will be activated whenever an
application crashes.
To change the postmortem debugger back to Dr. Watson, run drwtsn32 -i. When
Dr. Watson is the postmortem debugger, a memory dump file will be written to
disk if an application crashes. See Dr. Watson Command-Line Options for
details.
Only a system administrator can alter the postmortem settings.
If a postmortem debugger has been installed, you can deliberately break into
the debugger from a user-mode application by calling the DebugBreak
function.
like it has been stated several times earlier there is no better way other
than do it yourself
and read and reread the windbg help file until things start making sense on
your own
scott noone or for that matter anyone who is reading or responding to this
list probably might never need to use usermode debugging
but they still know it in back of thier mind how to enable or disable user
mode exception and they also post the os that this option works
thats mainly because they might have glanced over the help file quiet a few
times just reading it like a novel
try searching for *noumex *switch as an added trivia to the debugger
handling user mode exceptions
regards
raj_r
On 11/17/08, Lin George wrote:
> Thanks for your advice, Martin!
>
> 1.
>
> Previously I think breakpoint is set by a debugger and breakpoint only
effects if the binary is attached with debugger, if no debugger attached, no
breakpoint will take effect. Is that true?
>
> 2.
>
> I am confused about what do you mean “any breakpoint that is not handled
by a user mode debugger” – my confusion is, if the user mode debugger set
the breakpoint, say break in main function, the user mode debugger should be
able to handle this breakpoint (I think user mode debugger should be able to
handle all breakpoints which is listed in bl command in Windbg). Could you
show me a sample which user mode debugger sets a breakpoint, but not handle
the breakpoint?
>
> 3.
>
> “there events in the os itself that cause breakpoints” – do you mean int
3 interruption from some software (the running software is not attached with
user mode debugger but emit int 3 interruption, so the software is supposed
to delegate kernel debugger to handle, and if no kernel debugger from host
machie, the target machine is hang)? Or you mean something else?
>
> BTW: why I ask this question is I want to make it clear whether it is my
program bug which causes system halt or just open kernel debugger issue
which causes system halt.
>
> regards,
> George
>
>
> ----- Original Message ----
> From: Martin O’Brien
> To: Kernel Debugging Interest List
> Sent: Monday, November 17, 2008 9:10:27 PM
> Subject: Re:[windbg] kernel debugger option
>
> 1. Yes - any breakpoint that is not handled by a user mode debugger will
cause the target to ‘halt,’ because it is expecting a kernel debugger to be
connected. I haven’t any idea of what you’re talking about with the rest of
that, but there events in the os itself that cause breakpoints, and there’s
also third party software that behaves very differently with a configuration
that enabled /debug support, so it’s not something that you can control,
especially in the case of CHK builds.
>
> 2. Read the documentation. Please. All you have to do is copy the
existing line to a new line and modify it, but, again, read the
documentation, please.
>
> Both of those being said, it doesn’t matter, given what you have
experienced yourself:
>
> > Yes, Martin. I met with the machine halt problem as you mentioned, and I
suspect it is kernel debugger option issue.
>
> Doesn’t this settle the question for you? Why does it matter if you can’t
even boot without a debugger enabled, and no, it’s not an option problem,
unless you mean not enabling debugging as the ‘option.’
>
> George, you need to understand that learning how to use windbg for kernel
work takes a good three to six months to figure out, and that assumes that
you know something about kernel work to begin with. There are no
tutorials for learning kd debugging, the documentation deeply, deeply sucks,
and there is no way to learn it other than to just roll up your sleeves and
do it. You. Not me. Not Tim. Not Skywing. Not Snoone. Not raj_r. Not
anyone else. You. This subject (how to use windbg for kd) is one of the
most common questions on these lists, and because of that and that there is
no answer other than ‘do it yourself,’ it’s also one of the questions for
which members have the least patience.
>
> Do with this piece of advice what you will, but given what you have shown
us to date, you don’t seem to be willing to figure things out on your own,
and you also don’t generally like what we tell you, so I really, really,
really don’t think you’re going to like this type of work.
>
>
> Good luck,
>
> mm
>
>
>
>
>
>
>
>
>
>
>
>
> Lin George wrote:
> > Yes, Martin. I met with the machine halt problem as you mentioned, and I
suspect it is kernel debugger option issue.
> >
> > 1. You mentioned “most likely, depending on what else you have going on,
like a user mode debugger” – my confusion is do you mean breakpoint makes
machine halt? My confusion is break point only takes effect when there is
some binary under debug (with debugger attached), and break point is hit. If
I just reboot the machine and with the kernel debugger option turned on, no
breakpoint should take effect, so I think break point will never makes
machine halt. Please correct me if I am wrong.
> >
> > 2. “more than one option in the boot.ini” – you mean we can let user
select from start whether boot with kernel debugger turned on or turned off?
Looks like fancy.
> >
> > regards,
> > George
> >
> >
> > ----- Original Message ----
> > From: Martin O’Brien
> > To: Kernel Debugging Interest List
> > Sent: Monday, November 17, 2008 8:36:06 PM
> > Subject: Re:[windbg] kernel debugger option
> >
> > It’s been a while since I’ve used anything pre-bcd for a target, but if
I recall correctly, it will probably not boot without a debugger connected,
but even if it does, breakpoints (most likely, depending on what else you
have going on, like a user mode debugger) and traps will cause the machine
to halt, so I guess these would qualify as ‘strange.’
> >
> > You can and should always have more than one option in the boot.ini, so
just add the debugger option, and leave the original one alone.
> >
> > Strictly speaking, a debugger connection is a security risk, but in
practice, if someone can get that close to the machine, it’s all a waste of
time, so it’s not something that I would worry about on that basis, but
certainly there’s no upside to having it in production.
> >
> > Again George - cart before the horse? Why don’t you learn how to use
the debugger first, and worry about this later.
> >
> >
> > Good luck,
> >
> > mm
> >
> > Lin George wrote:
> >> Hello everyone,
> >>
> >> I am turning on the kernel debugger option in boot.ini. But I am not
sure whether I should remove the option if I do not debug the target
machine? Whether keep the kernel debugger option in boot.ini will make the
system unstable or behaves strangely sometimes?
> >>
> >> thanks in advance,
> >> George
> >>
> >>
> >>
> >
> > —
> > You are currently subscribed to windbg as: xxxxx@yahoo.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> >
>
> —
> You are currently subscribed to windbg as: xxxxx@yahoo.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>