> 1. I got some query regarding debugging using WinDbg
If you look up “csrss” in the debugger documentation index, you find
information on using ntsd/cdb.
There is no information for using Windbg.
Usually you do usermode debugging machine by running the debugger on the
same machine as the code.
Usually usermode debugging requires only one machine.
(ignoring “live debugging”)Usually you do kernel mode debugging on two
machines, connected by a null modem cable or 1393/Firewire.
The kernel debugger is actually quite good at debugging usermode code, but
it doesn’t seem to be popular.
Debugging csrss with a usermode debugger running on the machine that the
code to be debugged is running is problematic apparently. Apparently there
are problems using the network and user32/gdi32. Like, using them requires
calling into csrss and you end up deadlocking.
There is a switch to ntsd/cdb “-d” that sort of “pipes” the interface
through kd, therefore has drastically reduced dependencies, avoids using
user32/gdi32 and possibly the network. This is what the documentation points
you to. The documentation says to debug csrss with “ntsd --” and that –
includes “-d”. cdb and ntsd are nearly the same thing – 1) ntsd is
installed by default, cdb you only get by installing the debuggers, 2) cdb I
think is a console app and ntsd a gui app that calls AllocConsole, but you
can tell cdb the “-2” option…the difference matters here like when you
debug cmd and press control-c, does it to go the debugger or cmd? It’s
ambiguous if they share the console. Likewise the input/output can be
ambiguous and confusing.
Anyway, here is what the documentation describes:
have two machines
install the debugger package (eg: dbg_x86_6.0.17.0.exe) on both machines
enable kernel mode debugging in the target, with like in boot.ini:
/debug /baudrate=115200
This part is tricky, getting the com ports right and all, but it
sounds like you have it mostly working.
Verify that kernel debugging is working:
on the kernel debug host
quit hyperterminal
mkdir c:\localsymbols
run something like kd -y
symsrv*symsrv.dll*c:\localsymbols*http://msdl.microsoft.com/symbols -k
com:port=com1,baud=115200
make sure you can breakin with control-c, and then resume
with “g” for go.
then on the debug target run “cdb --”
then look at kd in the debug host, you should find it’s actually
presenting cdb/ntsd’s prompt
it is subtle, I think kd’s prompt is “kd>” and cdb/ntsd’s is
like “123:456>” where 123:456 are probably process and thread ids.
Pressing control-c in this kd/cdb “merged” ui is ambigous. To
unambigiously press control-c in cdb, type it on the debug target where you
ran cdb --.
As to the issue of downloading symbols.
You can either download the large file with all of them, or you can use the
symbol server, and the symbol server has a nice feature where it can locally
cache symbols as they are downloaded.
A good way to get the debugger to breakin when your code loads is to use
“sxe ld”, that’s stop on exception enable for .dll loads.
I have done little source debugging in ntsd/cdb. More commonly, I set
breakpoints on functions, not lines, and I read along in a source editor.
Use .lines to get k to show line numbers.
For the registry stuff, if it proves needed, try gflags +r +d32, gflags is
installed with the debuggers, do this on the debug target.
Getting this stuff all working I’m afraid is a bit tricky, and it is tricky
to understand the “-d” switch, what is kd vs. what is ntsd/cdb, but it does
eventually all work very well.
You can also just use.
in kd do
!process 0 0
that will show you a list of processes
find csrss.exe in the list, like:
PROCESS 81f3f900 SessionId: 0 Cid: 00a4 Peb: 7ffdf000
ParentCid: 008c
DirBase: 04a44000 ObjectTable: 81f3fc48 TableSize: 221.
Image: csrss.exe
Note that first hex value and then do like:
.process /r /p 81f3f900
but you can’t use sxe ld to break when your printer driver loads in
csrss using kd
…poking around…
kd> x winsrv!*load*driver*
5ffdbe64 winsrv!LoadPrinterDriver
5ffdce54 winsrv!_imp_load__DeletePrinterDriverExW
5ffdce78 winsrv!_imp_load__EnumPrinterDriversW
5ffdbf0c winsrv!UnloadPrinterDriver
5ffdce9c winsrv!_imp_load__AddPrinterDriverW
5ffdce66 winsrv!_imp_load__DeletePrinterDriverW
5ffdceae winsrv!_imp_load__GetPrinterDriverDirectoryW
5ffdce8a winsrv!_imp_load__AddPrinterDriverExW
5ffdcbbe winsrv!_imp_load__GetPrinterDriverW
LoadPrinterDriver sound promising.
do like
bp /p 81f3f900 winsrv!LoadPrinterDriver
and then when it hits, I’m guessing:
bp /p 81f3f900 kernel32!LoadLibraryW
and do a g @$ra (go to return address) when that hits, then you should be
able to set breakpoints in your .dll.
/p to bp is process specific breakpoints.
Using kd you don’t have to worry about symbols as much. You can definitely
download them on demand from the symbol server. It’s less clear if that
works in cdb/ntsd debugging csrss. You can also use kd to get the symbols,
then xcopy the local symbol store it creates over to the debug target. Like
do the .process /r /p command and then .reload /f. … my debug target right
now is my internet connection sharer so this didn’t work so well for me, I
added various binaries to my symbol store then used rundll32 in a debugger
and .reload /f to get the debugger to find and download the symbols.
(ie:
for /f %a in (‘dir /s/b/a-d *.dll’) do Z:\bin\x86\cdb -g -G -n -xe ld:%~nxa
rundll32 %a,x
and manually do .reload /f and q whenever you get a debugger prompt)
- Jay
----- Original Message -----
From: “File Systems Developers digest”
To: “ntfsd digest recipients”
Sent: Saturday, December 07, 2002 9:00 PM
Subject: ntfsd digest: December 07, 2002
> NTFSD Digest for Saturday, December 07, 2002.
>
> 1. I got some query regarding debugging using WinDbg
> ----------------------------------------------------------------------
> Subject: I got some query regarding debugging using WinDbg
> From: “Abhishek Gattani”
> Date: Sat, 7 Dec 2002 11:43:57 +0530
> X-Message-Number: 1
>
> Hello all,
> I got some query regarding debugging using WinDbg
>
> Source: Win NT 4.0
> Target: Windows 2000
> WinDBG Version: 6.10009.0
>
> I have connected to the two machines and when I type on one using hyper
> terminal the message gets displayed on the other.
>
> Now my target machine is a fresh machine nothing installed on it except
the
> driver dlls and the operating system(Win2K). My host machine is the
> development machine and has everything installed. Now what things should I
> install on my target machine to enable debugging?
>
> Further I read somewhere that to enable debugging on the target machine
some
> global flag in the registry has to be changed. Well in my fresh target
> machine such a registry key never existed. does ne one have any
> suggestions?
>
> Further in my host machine what should be the value of this flag?
>
> I also made some changes to the system files in the target machine as per
> debugger help and now it shows “debugger enabled” during boot up against
the
> Windows 2000 name.
>
> About the symbols I gave the path of the Microsoft symbol server well the
> result was that some symbols got downloaded. Some article mentioned that
> there is no need to have the symbols on the local machine and its better
to
> use the Microsoft symbol server path. I am not sure whether this would
work.
> In case I have to download the symbols please guide me as to what I do so
> for both checked or build.
>
> See mine is a printer driver it prints virtually. Well I want to debug in
> the user mode though in the documentation it is mentioned that user mode
> processes can be debugged using single machine. But in my case its the
> CSRSS.exe that loads the driver hence I read somewhere that I need to use
> two machines.Any comments on this?
>
> I did try to start some debugging but I was clueless as to what I should
> attach the process with etc. Can someone in simple terms tell me step by
> step
> that what I should do to start debugging. things like which machine should
I
> boot first.do I need to load the source files in windbg , do I need to
> build my driver with some special settings? what process should I attach
to
> windbg? how will I know things are working? should I set a breakpoint ?
> before or after debugging starts?
>
> See I have been trying to debug my driver and its been a week I need
sincere
> help and I believe this group can provide so Please do let me know to the
> soonest
> and if ne one has a Yahoo chat ID I can even talk to you and do things as
u
> suggest while I chat!
>
> Looking forward for a reply
>
> Cordial Regards
> Abhishek Gattani
> ----------------------------------------------------------------------