Windows Kernel Debugging Tips

Kernel Debugging Setup

Windows kernel debugging requires two computers - the "target computer" - is where the code being debugged is run, and the "host computer" - is where the debugger is run. Host & Target computers are connected either either by a Null-modem (Com-to-Com) cable or a Firewire (1394) cable. The 1394 is preferable since it is much faster.

Target Computer configuration for 1394 debugging

For Vista+ systems, run the following commands from the elevated console:

  1. bcdedit /copy {current} /d "Windows with 1394 debugger enabled (ch 10)"
    • the command should create a new boot entry and print: "The entry was successfully copied to {guid-string}"
  2. bcdedit /set {the-above-guid-string} debug on
  3. bcdedit /set {the-above-guid-string} debugtype 1394
  4. bcdedit /set {the-above-guid-string} channel 10
    • NOTE: any channel number could be used, but the channel used by the host and the target should match of course. We use 10 here throughout this article for simplicity.
    • NOTE: once you don't need kernel debugging anymore, you can remove the above entry by the following command run from an elevated console:
      bcdedit /delete {the-above-guid-string}

Host Computer configuration

  1. Install Debugging Tools For Windows. You can install it as a stand-alone component from the Windows SDK in a way described  here.
    • Both 32bit and 64bit versions of Debugging Tools could be used for debugging both 32bit and 64bit Targets.
  2. Run the WinDbg debugger: "Start"->"All Programs"->"Debugging Tools For Windows"->"WinDbg".
  3. Setup WinDbg symbol paths: "File"->"Symbol File Path" -> in the "Symbol File Path" dialog enter "srv*c:\symbols*" (w/o quotes) in the edit box->"OK"
    • NOTE: the C:\symbols here is the path of your downstream store, i.e. the path where the downloaded symbols would be stored/cached. You can use any path for that.

Starting Kernel Debugging

Once both Host & Target computers are configured with the above steps, you can start kernel debugging by the following steps:

  1. Connect Host and Target computer with a 1394 cable (for 1394 debugging) or with a null-modem cable (for null-modem debugging).
  2. Follow the steps below on the host and then on target machine respectively:

Host Computer

  1. Run the WinDbg debugger: "Start"->"All Programs"->"Debugging Tools For Windows"->"WinDbg".
    • NOTE: you need to run it with elevated privileges (i.e. "Run As Administrator") the first time you want to setup a 1394 kernel debugging so that it is able to install the necessary 1394 debugging driver.
  2. For 1394 debugging: in WinDbg do: "File"->"Kernel Debug"->open "1394" tab and type "10" (w/o quotes) in the "Chanel" edit box->press "OK"
    • The first time you do it you'll see some progress while WinDbg is installing the 1394d driver.
    • Finally windbg should print something like
      Opened \.\DBG1394_INSTANCE10
      Waiting to reconnect...

Target Computer

  1. Power-on the Target Computer
  2. In the displayed boot menu select the entry you previously added using steps in the "Kernel Debugging Setup" section above, e.g. "Windows with 1394 debugger enabled (ch 10)"

Common Kernel Debugging Tasks

NOTE: unless otherwise specified all the tasks here list the WinDbg commands that should be entered in a debugger command window. The command window becomes active only when the debuggee is break in the debugger. To force the target system to break use <ctrl>+<break>, to resume use "g" command (in a debugger command window ofc)

Creating a dump file with WinDbg

  1. Minidump
    .dump /m <dump\file\path\on\the\host\system.dmp>
  2. Full memory dump
    .dump /f <dump\file\path\on\the\host\system.dmp>
  3. Kernel memory dump - it's not possible to do that with WinDbg
ContactPrivacy policyTerms of Use