| Debugging Tools for Windows |
In Microsoft Windows XP and later operating systems, it is possible to do local kernel debugging by starting the kernel debugger (KD) or WinDbg with the –kl command line option:
or
Local debugging does not require the machine to be booted with the /debug option.
Live local debugging is extremely useful for debugging issues that are difficult to reproduce when the debugger is attached; however, anything that requires knowledge of time sensitive information, including packet, IRP, and SRB data, is unlikely to work unless the problem is a hang or a stall.
When performing local debugging, consider the following variables:
Consider the last of these.
First, use the !process 0 0 extension to identify the process containing the hung thread. Then, issue !process again for more information about that thread:
THREAD 81705da8 Cid 0b5c.0b60 Teb: 7ffde000 Win32Thread: e1b2d890 WAIT: (Suspended)
IRP List:
816c9ad8: (0006,0190) Flags: 00000030 Mdl: 00000000
Start Address kernel32!BaseProcessStartThunk (0x77e5c650)
Win32 Start Address 0x0101c9be
Stack Init f50bf000 Current f50bea74 Base f50bf000 Limit f50b9000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0
The threads are not displayed, but the stack addresses are. Using the dds (or ddq) command on the current address on the stack yields a starting point for further investigation, because it specifies which process is calling.
f50bea74 f50bebc4
f50bea78 00000000
f50bea7c 80805795 nt!KiSwapContext+0x25
f50beab4 8080ece0 nt!KeWaitForSingleObject
f50beabc f942afda ks!CKsQueue::CancelAllIrps+0x14
f50bead8 f94406c4 ks!CKsQueue::SetDeviceState+0x170
f50beb00 f943f6f1 ks!CKsPipeSection::DistributeDeviceStateChange+0x1d
f50beb24 f943fb1e ks!CKsPipeSection::SetDeviceState+0xb2