WinDbg Tips and Tricks 181
SUSPENDING THREADS
Suspending threads during live kernel debugging session can be useful for debug-
ging or reproducing race condition issues. For example, when we have one thread that
depends on another thread finishing its work earlier. Sometimes, very rarely the lat-
ter thread finishes after the moment the first thread would expect it. In order to
model this race condition we can simply patch the prologue code of the second thread
worker function with ret instruction. This has the same effect as suspending the thread
so it cannot produce the required data.
Note: ~n (suspend) and ~f (freeze) are for user mode live debugging only. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
182 PART 2: Professional Crash Dump Analysis
HEAP STACK TRACES
If we have user mode stack trace DB enabled on Windows 2003 Server for some
service or application and we get a crash dump and try to get saved stack traces using
!heap extension command we might get these errors:
0:000> !heap -k -h 000a0000
Heap entries for Segment00 in Heap 000a0000
000a0c50: 00c50 . 00040 [01] - busy (40)
000a0c90: 00040 . 01818 [07] - busy (1800), tail fill - unable to
read heap entry extra at 000a24a0
000a24a8: 01818 . 00030 [07] - busy (18), tail fill - unable to
read heap entry extra at 000a24d0
000a24d8: 00030 . 005a0 [07] - busy (588), tail fill - unable to
read heap entry extra at 000a2a70
The solution is to use old Windows 2000 extension ntsdexts.dll:
0:000> !.\w2kfre\ntsdexts.heap -k -h 000a0000
Stack trace (12) at 1021bfc:
7c85fc22: ntdll!RtlAllocateHeapSlowly+0×00000041

!dml_proc

Here we can click on a process link and get the list of threads:

We can click either on “Full details” link or on an individual thread link to see its
call stack. If we select “user-mode state” link we switch to process context automatically
(useful for complete memory dumps):
kd> .process /p /r 0x8342c128
Implicit process is now 8342c128
Loading User Symbols
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
WinDbg Tips and Tricks 185
We can also navigate frames and local variables very easily:

If we click on a thread name (<No name> here) we get its context:

Clicking on a number sets the scope and shows local variables (if we have full PDB
files):

Similar command is kM: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
186 PART 2: Professional Crash Dump Analysis
Another useful command is lmD where we can easily inspect modules: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
WinDbg Tips and Tricks 187
ANALYZING HANGS FASTER

004015a2 00405068 component!_imp__GetTickCount
00405068 7c80929c kernel32!GetTickCount
7c80929c fe0000ba
004015a6 458df033
458df033 ????????
458df033 ????????
004015aa 15ff50f0
15ff50f0 ????????
15ff50f0 ????????
004015ae 00405064 component!_imp__QueryPerformanceCounter
00405064 7c80a427 kernel32!QueryPerformanceCounter
7c80a427 8b55ff8b
004015b2 33f4458b
33f4458b ????????
33f4458b ????????
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
WinDbg Tips and Tricks 189
If we want quadruple dereferenced memory we just need to add the additional
dps @$t0 l1; to .for loop body. With this script even double dereference looks much
better because it shows symbol information for the first dereference too whereas dpp
command shows symbol name only for the second dereference.
Another less “elegant” variation without $p pseudo-register uses poi operator
but we need a .catch block to prevent the script termination on invalid memory access:
0:000> .for (r $t0=00000000`004015a2, $t1=4; @$t1 >= 0; r $t1=$t1-1,
$t0=$t0+$ptrsize) { .catch { dds $t0 l1; dds poi($t0) l1; dds
poi(poi($t0)) l1; }; .printf "\n" }
004015a2 00405068 component!_imp__GetTickCount
00405068 7c80929c kernel32!GetTickCount
7c80929c fe0000ba
004015a6 458df033

---------
004015aa 15ff50f0
15ff50f0 ????????
Cannot read next element at 15ff50f0
004015ae:
---------
004015ae 00405064 component!_imp__QueryPerformanceCounter
00405064 7c80a427 kernel32!QueryPerformanceCounter
7c80a427 8b55ff8b
8b55ff8b ????????
Cannot read next element at 8b55ff8b
004015b2:
---------
004015b2 33f4458b
33f4458b ????????
Cannot read next element at 33f4458b
The advantage of !list is in unlimited number of pointer dereferences until invalid
address is reached.

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
WinDbg Tips and Tricks 191
FINDING A NEEDLE IN A HAY
There is a good WinDbg command to list unique threads in a process. Some
processes have so many threads that it is difficult to find anomalies in the output of
~*kv command especially when most threads are similar like waiting for LPC reply. In
this case we can use !uniqstack command to list only threads with unique call stacks and
then list duplicate thread numbers.
0:046> !uniqstack
Processing 51 threads, please wait
. 0 Id: 1d50.1dc0 Suspend: 1 Teb: 7fffe000 Unfrozen

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
192 PART 2: Professional Crash Dump Analysis
0:046> ~49kL
ChildEBP RetAddr
0c58fe18 7c821c54 ntdll!KiFastSystemCallRet
0c58fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
0c58ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×198
0c58ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
0c58ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0×9d
0c58ffb8 77e6608b RPCRT4!ThreadStartRoutine+0×1b
0c58ffec 00000000 kernel32!BaseThreadStart+0×34
0:046> ~47kL
ChildEBP RetAddr
0b65fe18 7c821c54 ntdll!KiFastSystemCallRet
0b65fe1c 77c7538c ntdll!ZwReplyWaitReceivePortEx+0xc
0b65ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×198
0b65ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
0b65ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0×9d
0b65ffb8 77e6608b RPCRT4!ThreadStartRoutine+0×1b
0b65ffec 00000000 kernel32!BaseThreadStart+0×34

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.