An Overview of WinDbg

WinDbg (affectionately pronounced wind bag) is a hybrid kernel-mode and user-mode debugger that can be used to analyze crash dump files, executing driver code, and application dump files created by the Dr. Watson utility. This section provides an overview of the WinDbg capabilities. The DDK documentation provides additional details on the use of WinDbg in various debugging scenarios.

WinDbg is a hybrid debugger in that it serves a purpose in both kernel mode and user mode. It also combines the look and feel of a GUI (graphical) debugger with a window for entering old-style keyboard commands.

WinDbg is supplied from several sources, including the DDK and Platform SDK. Additionally, it is supplied on the Customer Support and Diagnostics Tools CD of the Windows 2000 distribution.

The Key to Source Code Debugging

One of WinDbg's most powerful features is its ability to debug kernel-mode components at the source-code level. Source code and symbol files must be available to WinDbg during the debug session to allow this mode of operation.

SYMBOL DIRECTORIES

Symbol files are optionally generated with the compile and link process of a project. They include names for local and global variables, linked function addresses, and typedef information. Line number information is also provided by symbol files so that compiled machine instructions can be associated with source code lines. Microsoft tools can supply symbol files in several formats including an older (but more standard) COFF format (Common Object File Format) and the PDB format (Program Database). Compiler and linker switches determine the format of the symbols generated.

The Windows 2000 operating system itself is supplied with associated symbol files. They are optionally installed from the Customer Support and Diagnostics Tools CD. Since symbol files change with each build, a service pack distribution of the operating system requires that the symbol files be updated.

Access to driver and OS symbols is essential for any serious debugging attempt. They provide intelligible call stack information and display of source code. Trying to isolate a bug from screens of disassembly is an exercise in frustration.

Once symbols are installed, WinDbg must be informed of their install location. This is accomplished by using the Symbols tab of the Options dialog box under the View menu. Operating system symbols are usually installed in the %SystemDir%\Symbols directory. Symbol files for a driver (.DBG or .PDB extension) are often kept with the binary .SYS file.

SOURCE CODE DIRECTORIES

Besides the symbol files, WinDbg needs access to the source code (.C and .H) for the driver in order to display it during debugging. A path for the source code directories can be supplied through the Source Files tab of the Options dialog under the View menu in WinDbg.

Some WinDbg Commands

Although WinDbg is a GUI program, its most useful operations are initiated from a command-line window. The command set is similar to other command-line debuggers supplied by Microsoft (e.g., NTSD and KD), so knowledge of the command set is leveraged. Table 17.1 provides a quick overview of the more common WinDbg commands. The WinDbg Help option provides more detailed information. Also, see the DDK for driver-specific (kdextx86.DLL) extension command help. Extension commands begin with a bang (!).