This post gives you a simple summary of the most needed WinDbg commands for .NET. This command is equivalent to ed or eq, depending on whether the target computer's processor architecture is 32-bit or 64-bit, respectively. by initialization order vars matching Pattern One of the most advanced and complicated is undoubtedly WinDbg, every .NET developer should known. ...excerpt rM Mask Reg1, Reg2 !sym quiet, Get state of symbol loading 1. List output settings -> which processor's unwinder is used for stack tracing
r Reg:[Num]Type If you're using the .NET Framework, the easiest way to load sos.dll is via the command .loadby sos clr. Search for potentially leaked heap blocks, !heap Heap -b [alloc | realloc | free] [Tag] Example 2: .formats poi(nLocal1) == .formats @@($!nLocal1), Displays the most recent exception or event that occurred (why the debugger is waiting? !heap d*p. Display referenced memory = display pointer at specified Addr, dereference it, and then display the memory at the resulting location in a variety of formats.
00007fff8c4971b8 7 17736 System.Object[] Flags for Mask To get source information you must additionally enable page heap in step 1 (gflags.exe /i MyApp.exe +ust +hpa), Select "Create user mode stack trace database" and "Enable page heap" for your image in GFlags (gflags.exe /i MyApp.exe +ust +hpa), Enable "Create user mode stack trace database" for your image in GFlags (gflags.exe /i MyApp.exe +ust). Details of heap allocation containing UserAddr. ]Name* Example 1: .formats 5 ( Log Out / Go up = execute until the current function is complete Download the mex.exe archive.
If this value matches any known symbol, this symbol is displayed as well. b = byte
00007fff8c499cb8 8 3884 System.Byte[] 000002450c7ed998 00007fff38dd6668 24 .symfix+ DownstreamStore. [~Thrd] bp[#] [Options] [Addr] [Passes] ["CmdString"], Set breakpoint at address dp* FPO info, calling convention, display raw stack data + possible symbol info == dds esp. specify frame # Answering the mystery what parts of program bombard SQL Server with queries. NAME = placeholder for extension DLL Size: 24(0x18) bytes source mode vs. assembly mode, Go .step_filter "FilerList" The most of the examples are heavily inspired by Konrad Kokosa’s excellent book Pro .NET Memory Management.. For troubleshooting .NET (Core) memory or performance issues, there’re a lot of free or commercial tools available. There some other useful extensions with additional features available for free: In this post, I am focusing on the SOS debugging extension which is installed by default with the .NET Framework or .NET Core.
First, load the SOS extension into the debugger using the .load command. Enable logging + possibly initialize it if not yet done. .step_filter /c. Working with WinDbg is kind of pain in the ass and I never remember all the commands by heart, so I write down the commands I used. -ma : Write a dump file with all process memory. : r eax:uw) Size = Size of each element I've been staring at it for quite some time but I can't figure out where I'm doing wrong. List heaps with index and range (= startAddr(=HeapAddr), endAddr)
!heap -v [HeapAddr | Idx | 0] Selecting a language below will dynamically change the complete page content to that language.
a = ascii string -c "command" Executes a command line after the debugger is attached. Starts a kernel debugging session using an EXDI driver. .expr /s c++ break second-chance !tls [-1 | SlotIdx] TebAddr, -1 = dump all slots for current thread Version 10 of WinDbg can still be used on Windows 7. Ongoing SQL commands .
wt -i Module [-i Module2] .. DML mode of lm; lmv command links included in output. Search for any memory containing printable Unicode strings Causes the debugger to ignore the symbol path and executable image path environment variables. Do you have any ideas ? -------
The ObjSize command includes the size of all child objects in addition to the parent. Under Windows, several options are available for creating a memory dump. -y Name = partially match instead of default exact match reserved and committed memory [Idx = heap Idx, 0 = all heaps] [b = first 3 params, v = FPO + calling convention, p = all params: param type + name + value], [n = with frame #] Starts a kernel debugging session on the same machine as the debugger. Passes = Activate breakpoint after #Passes (it is ignored before), Set unresolved breakpoint. Causes the debugger to display 'File access error' messages during symbol load.
S = UNICODE_STRING, dds [/c #] [Addr] Search for objects of the same type. A detailed display of the elements can be achieved with the -details option. Use !list to execute some command for each element in the list. The Windows Task Manager, Sysinternals Process Explorer or Sysinternals ProcDump, my favourite tool. Loading stuff .loadby sos mscorwks Load SOS extension (will identify sos location by loaded mscorwks path) .load c:\Windows\Microsoft.NET\Framework\v2.0.50727\sos Load SOS extension for .NET 2.0 .load psscor2 Load PSSCOR…
x /a .. Control Keys. 000002450730aa40 69 169408 Free MEX Debugging Extension. Addr = start address of the list
After a reboot, the debugger will break into the target computer as soon as a kernel module is loaded. .reload /f @"C:\WINNT\System32\verifier.dll".
Ignores the initial breakpoint in target application. Change ), You are commenting using your Facebook account. Show available evaluators
00007fff38f84a30 2 65584 MemoryLeaker.MyData[] -threads Extract to any folder. Yes No. ( Log Out / Delete specified memory ranges (any saved range containing Addr or overlapping with Range), !heap -? Output directory optional. x /n .. SOSEX for .NET. d*u -> dereferenced mem as Unicode chars After this call is returned execution will continue until another call is reached. Detailed info for a block at given address Show number formats = evaluates a numerical expression or symbol and displays it in multiple numerical formats (hex, decimal, octal, binary, time, ..) oR = dump return register values (EAX value) in the appropriate type Pattern = a series of bytes (numeric or ASCII chars) ~Thrd == thread that the bp applies too. For more information about remote debugging see, Remote Debugging. b = dump in reverse order (follow BLinks instead of FLinks) Num = number of elements to display (i.e. a = ascii chars Connects to a debugging server that is already running. lmD, List modules; verbose | with loaded symbols | k-kernel or u-user only symbol info | image path; pattern that the module name must match Learn more about installation and configuration in WinDbg Preview - Installation. Specifies the thread ID of a thread to be resumed when the debugging session is started.