What is your favourite Windbg tip/trick?

c++ windows debugging windbg

22,256

Solution 1

My favorite is the command .cmdtree <file> (undocumented, but referenced in previous release notes). This can assist in bringing up another window (that can be docked) to display helpful or commonly used commands. This can help make the user much more productive using the tool.

Initially talked about here, with an example for the <file> parameter: http://blogs.msdn.com/debuggingtoolbox/archive/2008/09/17/special-command-execute-commands-from-a-customized-user-interface-with-cmdtree.aspx

Example: alt text http://blogs.msdn.com/photos/debuggingtoolbox/images/8954736/original.aspx

Solution 2

To investigate a memory leak in a crash dump (since I prefer by far UMDH for live processes). The strategy is that objects of the same type are all allocated with the same size.

Feed the !heap -h 0 command to WinDbg's command line version cdb.exe (for greater speed) to get all heap allocations:

"C:\Program Files\Debugging Tools for Windows\cdb.exe" -c "!heap -h 0;q" -z [DumpPath] > DumpHeapEntries.log

Use Cygwin to grep the list of allocations, grouping them by size:

grep "busy ([[:alnum:]]\+)" DumpHeapEntries.log \
| gawk '{ str = $8; gsub(/\(|\)/, "", str); print "0x" str " 0x" $4 }' \
| sort \
| uniq -c \
| gawk '{ printf "%10.2f %10d %10d ( %s = %d )\n", $1*strtonum($3)/1024, $1, strtonum($3), $2, strtonum($2) }' \
| sort > DumpHeapEntriesStats.log

You get a table that looks like this, for example, telling us that 25529270 allocations of 0x24 bytes take nearly 1.2 GB of memory.

   8489.52        707      12296 ( 0x3000 = 12288 )
  11894.28       5924       2056 ( 0x800 = 2048 )
  13222.66     846250         16 ( 0x2 = 2 )
  14120.41     602471         24 ( 0x2 = 2 )
  31539.30    2018515         16 ( 0x1 = 1 )
  38902.01    1659819         24 ( 0x1 = 1 )
  40856.38        817      51208 ( 0xc800 = 51200 )
1196684.53   25529270         48 ( 0x24 = 36 )

Then if your objects have vtables, just use the dps command to seek some of the 0x24 bytes heap allocations in DumpHeapEntries.log to know the type of the objects that are taking all the memory.

0:075> dps 3be7f7e8
3be7f7e8  00020006
3be7f7ec  090c01e7
3be7f7f0  0b40fe94 SomeDll!SomeType::`vftable'
3be7f7f4  00000000
3be7f7f8  00000000

It's cheesy but it works :)

Solution 3

The following command comes very handy when looking on the stack for C++ objects with vtables, especially when working with release builds when quite a few things get optimized away.

dpp esp Range

Being able to load an arbitrary PE file as dump is neat:

windbg -z mylib.dll

Query GetLastError() with:

!gle

This helps to decode common error codes:

!error error_number

Solution 4

Almost 60% of the commands I use everyday..

dv /i /t
?? this
kM (kinda undocumented) generates links to frames
.frame x
!analyze -v
!lmi
~

Explanation

dv /i /t [doc]
1. dv - display names and values of local variables in the current scope
2. /i - specify the kind of variable: local, global, parameter, function, or unknown
3. /t - display data type of variables
?? this [doc]
1. ?? - evaluate C++ expression
2. this - C++ this pointer
kM [doc]
1. k - display stack back trace
2. M - DML mode. Frame numbers are hyperlinks to the particular frame. For more info about kM refer to http://windbg.info/doc/1-common-cmds.html
.frame x [doc]
1. Switch to frame number x. 0 being the frame at top of stack, 1 being frame 1 below the 0th frame, and so on.
2. To display local variables from another frame on the stack, first switch to that frame - .frame x, then use dv /i /t. By default d will show info from top frame.
!analyze -v [doc1] [doc2 - Using the !analyze Extension]
1. !analyze - analyze extension. Display information about the current exception or bug check. Note that to run an extension we prefix !.
2. -v - verbose output
!lmi [doc]
1. !lmi - lmi extension. Display detailed information about a module.
~ [doc]
1. ~ - Displays status for the specified thread or for all threads in the current process.

Solution 5

The "tip" I use most often is one that will save you from having to touch that pesky mouse so often: Alt + 1

Alt + 1 will place focus into the command window so that you can actually type a command and so that up-arrow actually scrolls through command history. However, it doesn't work if your focus is already in the scrollable command history.

Peeve: why the heck are key presses ignored while the focus is in a source window? It's not like you can edit the source code from inside WinDbg. Alt + 1 to the rescue.

View more solutions

22,256

user15071

Updated on September 02, 2020

Comments

user15071 over 3 years

I have come to realize that Windbg is a very powerful debugger for the Windows platform & I learn something new about it once in a while. Can fellow Windbg users share some of their mad skills?

ps: I am not looking for a nifty command, those can be found in the documentation. How about sharing tips on doing something that one couldn't otherwise imagine could be done with windbg? e.g. Some way to generate statistics about memory allocations when a process is run under windbg.
pj4533 about 14 years

This is epic man, thanks a ton for posting it.
pj4533 about 14 years

I've been trying to implement this myself, but I am confused. How do you get the '3be7f7e8' address to give dds? Is that just the first column in the !heap output? Meaning you search your original log for the allocation of that size, get the address, then do a dds on it?
jturcotte about 14 years

Exactly, in the log you get a line that looks like this for every memory allocation: "3be7f7e8: 00038 . 00040 [107] - busy (24)". 24 is the value we search for here, got from the table above telling us that most of the memory is used by 0x24 bytes allocations. I then use cygwin's less to search DumpHeapEntriesStats.log for these lines using the command "/(24)", pick some of the matched addresses and dds them in cdb/WinDBG.
Dyno Fu over 12 years

donnot know why, but it seems not available in WinDbg:6.12.0002.633, when entered .cmdtree the help file popup.
Kris Kumler over 12 years

Was the file parameter included? I used the same version of WinDbg with that command successfully.
Dyno Fu over 12 years

you are right, i missed the the file parameter.
anishsane over 9 years

alt+2, alt+1, alt+2, ctrl+F4 Lame hack... Will work even if cursor is in command window. :P
Ohad Schneider about 8 years

Very cool! For a list of useful commands you might want to put in that file check out my post here: ohadsoft.com/2014/10/some-windbg-tips
Icarus over 5 years

The breakpoint command syntax is a pain to master. Would be nice if you add here an example of a breakpoint that adds a oneshot breakpoint.
Sahil Singh over 4 years

kM seems to be the default behavior in WinDbg Preview (available from Microsoft store), so k 5, and kM 5 will give equivalent results