\n\nThis page has been machine-translated from the original page.
\n
In this chapter, I introduce the basic UI operations of WinDbg used for analysis.
\nAlso, the official documentation already provides very thorough coverage of the basic procedures for debugging and analyzing dump files with WinDbg.
\nWhat is WinDbg:
\nhttps://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/windbg-overview
\nSo, if you want to learn more about how to use WinDbg, please refer to the official documentation above.
\n\nThis is the GUI of WinDbg (Classic) immediately after launching it with administrator privileges.
\nEach button has the following function.
\n| Number | \nFunction | \nShortcut | \n
|---|---|---|
| 1 | \nOpen Source File | \nCtrl+O | \n
| 2 | \nInsert or remove breakpoint | \nF9 | \n
| 3 | \nCommand | \nAlt+1 | \n
| 4 | \nWatch | \nAlt+2 | \n
| 5 | \nLocals | \nAlt+3 | \n
| 6 | \nRegisters | \nAlt+4 | \n
| 7 | \nMemory Window | \nAlt+5 | \n
| 8 | \nCall Stack | \nAlt+6 | \n
| 9 | \nDisassembly | \nAlt+7 | \n
| 10 | \nScratch Pad | \nAlt+8 | \n
| 11 | \nProcesses and Threads | \nAlt+9 | \n
| 12 | \nCommand Browser | \nCtrl+N | \n
| 13 | \nSource mode ON | \nN/A | \n
| 14 | \nSource mode OFF | \nN/A | \n
| 15 | \nFont | \nN/A | \n
| 16 | \nOptions | \nN/A | \n
If you are using the Windows app version of WinDbg, the icons and UI differ from the WinDbg (Classic) screen above, but except for a few cases the window names, functions, and default shortcut keys are the same, so there is no need to worry.
\nThe leftmost button on the toolbar, button 1, is the Open Source File button.
Clicking this button opens an Explorer window, letting you open source files in WinDbg. (You cannot run a file or attach to a process from the Open Source File button.)
The shortcut key is [Ctrl+O].
\nWhen you open a source file, you can browse its source code in WinDbg. (This is read-only, and you cannot write to it.)
\nSource browsing is not a feature used in this book, but it is extremely helpful when debugging a program you developed yourself.
\nButton 2 is Insert or remove breakpoint.
It is available only when the active window is the Source window or the Disassembly window.
\nPressing this button while a location is selected lets you toggle a breakpoint at that location.
\nThe shortcut key is [F9].
\nBecause this book does not set breakpoints when analyzing dump files, we do not use this feature here.
\nIf the Command window is closed, clicking button 3 opens a new Command window.
\nThe shortcut key is [Alt+1].
\nThe Command window is one of the features you will use most often when analyzing dump files, so it is convenient to remember this shortcut.
\nClicking button 4 opens the Watch window.
\nThe shortcut key is [Alt+2].
\nThe Watch window is not used in this book, but it can be useful in some debugging scenarios.
\nFor details on how to use it, please refer to the official documentation below.
\nUsing the Watch window:
\nhttps://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/watch-window
\nClicking button 5 opens the Locals window.
\nThe shortcut key is [Alt+3].
\nThis window is also not used in this book, so I will omit a detailed introduction.
\nClicking button 6 opens the Registers window.
\nThe shortcut key is [Alt+4].
\nFor how to display and edit registers using the Registers window, please refer to the documentation below.
\nThe Registers window is not used as often for dump file analysis as it is during live debugging.
\nHowever, it is a very useful feature because it lets you quickly inspect register information in a list.
\nDisplaying and editing registers in WinDbg:
\nhttps://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/registers-window
\nWhen you open the Registers window while analyzing a dump file, you can view and edit each register value as shown below.
\nClicking button 7 opens the Memory window.
\nThe shortcut key is [Alt+5].
\nFor details on the Memory window, please refer to the documentation below.
\nDisplaying and editing memory in WinDbg:
\nhttps://learn.microsoft.com/ja-jp/windows-hardware/drivers/debugger/memory-window
\nClicking button 8 opens the Call Stack window.
\nThe shortcut key is [Alt+6].
\nThe Call Stack window displays call history information from the stack.
\nThis is the same information as the stack trace displayed when you run the k command in the Command window.
Because it is a little tedious to open all required windows every time you analyze a dump, let’s configure the WinDbg workspace.
\nFirst, with some of the windows you want to use for analysis already open, drag each window with the mouse into the main WinDbg window.
\nIf you drag them to the edge or center of a window just right, you will see that the windows can be arranged in vertical or horizontal splits.
\nYou can also place two or more windows on top of one another so that they are grouped together as tabs in one place.
\nFor example, in the screen below, the Command window is placed on the right, the Disassembly window and Memory window are stacked in the upper-left half, and the Scratch Pad is placed in the lower-left half.
\nThe contents of WinDbg Help are basically the same as the command reference in the official documentation.
\nWinDbg Help is available only in English, but personally I find it easier to search than the official documentation, so I use it frequently when I want to look something up quickly.
\nThere is also unofficial information, such as cheat sheets published by individuals on the internet, that can be useful for working with WinDbg commands.
\nAs one example, below is the URL of a cheat sheet that I personally created and use.
\nCheat sheet for dump analysis and live debugging with WinDbg:
\nhttps://kashiwaba-yuki.com/windbg-basics-001
\nIn this chapter, I introduced the basic features and UI operations of WinDbg, the tool used in this book to analyze Windows dump files.
\nIn particular, the Disassembly, Registers, and Memory windows are extremely helpful for reducing stress while analyzing when you are not yet comfortable using debugger commands.
\nOnce you become somewhat used to debugger commands, you may find yourself using windows other than the Command window and Scratch Pad less often, but I hope you will still try out WinDbg’s handy features.
\n