{"componentChunkName":"component---src-templates-post-template-js","path":"/windows-windbg-004-kernel-debug-en","result":{"data":{"markdownRemark":{"id":"5045b0ee-88c9-5a11-ab68-4bcbcb57320a","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/windows-windbg-004-kernel-debug\">original page</a>.</p>\n</blockquote>\n<p>My goal is to become proficient with WinDbg for Windows debugging and dump-based troubleshooting.</p>\n<p>In <a href=\"/windows-windbg-002-tutorial-en\">Trying the WinDbg User-Mode Debugging Tutorial</a>, I introduced the first steps for debugging a user-mode process with WinDbg based on the official tutorial.</p>\n<p>In this article, I summarize how to perform kernel-mode debugging with WinDbg.</p>\n<p>For a list of information I have published about Windows debugging and dump analysis with WinDbg, see the page below.</p>\n<p>Reference: <a href=\"/windows-windbg-001-index-en\">Debugging and Troubleshooting Techniques with WinDbg</a></p>\n<p>This article covers the following topics.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#setting-up-an-environment-for-kernel-mode-debugging\">Setting Up an Environment for Kernel-Mode Debugging</a></p>\n<ul>\n<li><a href=\"#environment-used-in-this-article\">Environment Used in This Article</a></li>\n<li><a href=\"#changing-hyper-v-settings\">Changing Hyper-V Settings</a></li>\n<li><a href=\"#changing-virtualbox-settings\">Changing VirtualBox Settings</a></li>\n<li><a href=\"#enabling-kernel-mode-debugging\">Enabling Kernel-Mode Debugging</a></li>\n<li><a href=\"#configuring-windbg\">Configuring WinDbg</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#performing-kernel-debugging-with-windbg\">Performing Kernel Debugging with WinDbg</a></p>\n<ul>\n<li><a href=\"#stopping-the-kernel-from-windbg\">Stopping the Kernel from WinDbg</a></li>\n<li><a href=\"#displaying-a-list-of-modules-in-kernel-mode-debugging\">Displaying a List of Modules in Kernel-Mode Debugging</a></li>\n<li><a href=\"#setting-a-breakpoint-in-a-kernel-module\">Setting a Breakpoint in a Kernel Module</a></li>\n</ul>\n</li>\n<li><a href=\"#wrap-up\">Wrap-up</a></li>\n</ul>\n<h2 id=\"setting-up-an-environment-for-kernel-mode-debugging\" style=\"position:relative;\"><a href=\"#setting-up-an-environment-for-kernel-mode-debugging\" aria-label=\"setting up an environment for kernel mode debugging permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Setting Up an Environment for Kernel-Mode Debugging</h2>\n<p>To perform kernel-mode debugging with WinDbg, you need two systems: a host computer that runs WinDbg and a target computer to be debugged, connected by one of the following methods.</p>\n<ul>\n<li>Ethernet</li>\n<li>USB 2.0 / USB 3.0</li>\n<li>Serial (also called a null modem)</li>\n</ul>\n<p>Reference: <a href=\"https://docs.microsoft.com/ja-jp/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode-\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">WinDbg Overview (Kernel Mode) - Windows drivers | Microsoft Docs</a></p>\n<p>Strictly speaking, two machines are required if you want to access and debug the entire kernel.\nYou can also perform local kernel debugging on a single machine, but analyses that require stopping the OS cannot be performed, so there are limitations.</p>\n<p>Reference: <a href=\"https://docs.microsoft.com/ja-jp/windows-hardware/drivers/debugger/setting-up-local-kernel-debugging-of-a-single-computer-manually\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Manually setting up local kernel debugging of a single computer - Windows drivers | Microsoft Docs</a></p>\n<p>Normally, kernel-mode debugging requires two computers, but WinDbg can also perform kernel-mode debugging against Windows installed in a virtual machine.</p>\n<p>This time, I will set up kernel-mode debugging for Windows machines built on Hyper-V and VirtualBox.</p>\n<h3 id=\"environment-used-in-this-article\" style=\"position:relative;\"><a href=\"#environment-used-in-this-article\" aria-label=\"environment used in this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Environment Used in This Article</h3>\n<ul>\n<li>\n<p>Host machine</p>\n<ul>\n<li>Windows10 Pro 20H2</li>\n<li>WinDbg 10.0.22000.1 AMD64 (started with administrator privileges)</li>\n<li>VirtualBox 6.1.26</li>\n<li>Hyper-V</li>\n</ul>\n</li>\n<li>\n<p>Target machine</p>\n<ul>\n<li>Windows10 Pro 22H2 (built on Hyper-V)</li>\n<li>Windows 10 Pro 1511 (built on VirtualBox)</li>\n</ul>\n</li>\n</ul>\n<h3 id=\"changing-hyper-v-settings\" style=\"position:relative;\"><a href=\"#changing-hyper-v-settings\" aria-label=\"changing hyper v settings permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Changing Hyper-V Settings</h3>\n<p>This section assumes that a Windows 10 virtual machine is already running on Hyper-V.</p>\n<p>For kernel debugging, open the settings for the target virtual machine in Hyper-V and configure the COM1 settings as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 433px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/26e3cc2be7432cf21453a6ac82ccf9b6/55fc0/image-20230409191231941.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 55.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABcElEQVQoz42SW4+CQAyF5///Gx410UTXxAtoBBVUQImiKApe38/OaXaMuxujD18KnbbT06kajUaIowjrdYo8z7Hb7bDf7+WbltB3OBwePhNDS+gnWZZB+b6PRqOByWQC13WFdruNer0OXkaGwyGq1SpqtRq63S48z8NXswmn34erv+mvVCpSQzHRsiz0ej1JDsMQi8VCijCZQbPZDJ1ORxgMBpjP5wiCAEmSSE6r1YJt24i0UsVkx3HkgDKu1ysul4vY2+0mltzv98e/OX+OI/xXp9MJq9VKF/SQbjaPJPrLsvwH/X95PlMcJufY1/MYj8eI41gkHo8FzuezYC54B2NVURRI0xTT6VSGvVwm8nIMYKGyLLDRnVOOkfYKdqlMdQ6YnVI+LzErQ/gIR+171yHVKjMDSmUxwm5pozDSu8UdzH/t3StkD6mblfn0ju3IHLkqlE4ZvJAdf4JIZsFsu5WF5ur4fiAHnJlI+XmYT/kGxLQoHX/ag5AAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/26e3cc2be7432cf21453a6ac82ccf9b6/8ac56/image-20230409191231941.webp 240w,\n/static/26e3cc2be7432cf21453a6ac82ccf9b6/aff3a/image-20230409191231941.webp 433w\"\n              sizes=\"(max-width: 433px) 100vw, 433px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/26e3cc2be7432cf21453a6ac82ccf9b6/8ff5a/image-20230409191231941.png 240w,\n/static/26e3cc2be7432cf21453a6ac82ccf9b6/55fc0/image-20230409191231941.png 433w\"\n            sizes=\"(max-width: 433px) 100vw, 433px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/26e3cc2be7432cf21453a6ac82ccf9b6/55fc0/image-20230409191231941.png\"\n            alt=\"image-20230409191231941\"\n            title=\"image-20230409191231941\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As long as the final value of <strong>Named pipe path</strong> is <code class=\"language-text\">\\\\.\\pipe\\com1</code>, you are good to go.</p>\n<p>This completes the Hyper-V-side configuration, so start the virtual machine.</p>\n<p>By the way, when attaching kernel debugging to a virtual machine configured in Hyper-V, it is better to disable Enhanced Session Mode.</p>\n<h3 id=\"changing-virtualbox-settings\" style=\"position:relative;\"><a href=\"#changing-virtualbox-settings\" aria-label=\"changing virtualbox settings permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Changing VirtualBox Settings</h3>\n<p>This section assumes that a Windows virtual machine has already been created in VirtualBox.</p>\n<p>To perform kernel-mode debugging, configure the COM port on the VirtualBox virtual machine.</p>\n<ol>\n<li>In VirtualBox Manager on the host machine, open the settings for the virtual machine to be debugged.</li>\n<li>Next, open the [Serial Ports] settings and enable [Port 1].</li>\n<li>Then apply the following settings.</li>\n<li>Port Number: COM1</li>\n<li>Port Mode: Host Pipe</li>\n<li>Path/Address: <code class=\"language-text\">\\\\.\\pipe\\com1</code></li>\n</ol>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 500px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/57d56d521ef808486eb1a1b8a20d0c26/0b533/image-11.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 67.08333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAARlAAAEZQAGA43XUAAACy0lEQVQ4y51SSU9TURR+LYXwP9SdY+JCE40sXJCIA7pQXGhYoGjqT1ASTdy4UnCjlAroAtQERGVUpLRWOtFJChShAx1e2/c6Pdq+1+Hz3guoG2PiSb57bs4757vfOedxbosZGVFEio8jnUogIyQRj/HEJ5ATk0jySWSFFLmnIKYECCSeThPwMfRrWzB0aS/eXNmPp62H8OjcYXAOlwclpYw/bTUSQFbKQlYqEBKkWBSQyeUglxTEhBAychLVCjBw+wL0Lftwr/kozp84jtaTx8ANfjRhanED3o04QmkF0VwF4c04fL5lhEIhokYkSEMUtn04HEY0EkVgYx3d15rxsGkP7p4+AO2pg7jZdATc9Z7PuKhfx5kXUZwdlnB5KAm3P4jNcAiBQBAiGQdFNptFJpNhnoKSB3xe/HDbEfDYwK99x/jjLnCv3r7HrG0JU2YXpglmzE7MLxFl+QJrn+d5RCIR5EjLW1tbkCQJpVKJoVytQqnWfo1sbLAX3PiHMfi8LrgcVrgX7XATb/NvIpWVUKtUkM9LiMVi8Pv9jJyqKxaLJJ5HsVBAheTIcokRDuoI4cjIKNweD6w2O+wOB2w2GzxknlJRZkmKojBVwWCQzNVHtiwwUhovl8uoEpVlcqc2qn8Obnj4NZxOJxYWFmCxWGG1WDDnWsPy2gaSZMMFooYW05YpkSzLrF2qjBLSb3JpW+E7/TNwExMT7PWVlRXWln91Fd5ADAmy1QKZmSwr+JdVCTm1l306cG1tV6HV3kFn5y10dNxAe3s7Jr+5kSuUGKGy006tVvsrKjuEOl0fOGL0gKa+ESqVht1npmdYwu426Zxo0W9UWWwXu4/29hKFKrUGaoq6etQ3NDJCo8mE/7H+/gFSr1KTo44wa6BSNzDCJ909sFqtmJ39gjmDAYb5eRgMFEbmjUYjW+Ai+TM+zZkxNmnAV5MZD7ru4yfPlHJ8skb53QAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/57d56d521ef808486eb1a1b8a20d0c26/8ac56/image-11.webp 240w,\n/static/57d56d521ef808486eb1a1b8a20d0c26/d3be9/image-11.webp 480w,\n/static/57d56d521ef808486eb1a1b8a20d0c26/b0a15/image-11.webp 500w\"\n              sizes=\"(max-width: 500px) 100vw, 500px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/57d56d521ef808486eb1a1b8a20d0c26/8ff5a/image-11.png 240w,\n/static/57d56d521ef808486eb1a1b8a20d0c26/e85cb/image-11.png 480w,\n/static/57d56d521ef808486eb1a1b8a20d0c26/0b533/image-11.png 500w\"\n            sizes=\"(max-width: 500px) 100vw, 500px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/57d56d521ef808486eb1a1b8a20d0c26/0b533/image-11.png\"\n            alt=\"image-11.png\"\n            title=\"image-11.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This completes the VirtualBox-side configuration, so start the virtual machine.</p>\n<h3 id=\"enabling-kernel-mode-debugging\" style=\"position:relative;\"><a href=\"#enabling-kernel-mode-debugging\" aria-label=\"enabling kernel mode debugging permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enabling Kernel-Mode Debugging</h3>\n<p>After the virtual machine starts, launch a command line as an administrator and enter the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">bcdedit <span class=\"token operator\">/</span>debug on\nbcdedit <span class=\"token operator\">/</span>dbgsettings serial debugport:1 baudrate:115200</code></pre></div>\n<p>Alternatively, start <code class=\"language-text\">Msconfig.exe</code>, specify the COM1 port from the advanced options, and enable debugging.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 666px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7be9c75f374117e7a6f4bb8a457bd035/ace37/image-9.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 83.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAADQ0lEQVQ4y41Tz4tbVRi9dKBQKwi1RYrLakFtUReCq67tyo11VcFFFyIUayuFKpTROgstUysMUloVBRcuWov/hB3QOp02Y5LJZCbJe3k/7n0/8/J+JJPk+H33JTPtrg8O3+U+7vnOOd+94q/lf7DeaKBaX0e700Gr/Tja2Go9HTYZm1sQjXoNgzQGRgXS2EcvkIh9F/3IQ9YLMBmmwHb2VBjkGcTfNRN310b4ozLE3UcFbq/muLOa4feVFH8+SvHb/Qw3lzPcWi5riXSK2b8UN5ZzbLgphGm7yMZAnE+QDKBh+BlqLQeVZhcd1YcVD9ENB7AixhBOb0TYhs37tMd1vRvB9SMI13FQfsSKiYYfRvClA9fuQrkWWUkxyPooCGkSQU73kzjUe8O8jzAMID0fwpkSTiaTshK6rkKlUsHqw4f4d2UF/1WrsCwbURRDKYUODc80u5BSaXieB0d6cBURGoaBZrOJytoaGjRtwzTRMiyaWBONjQ0isuC6LnzfJ8JII45jDV4HQaArE3oBWbZtGz53IKVZliHPc5i2RLvVQovAB5Mk2SGLwpDs7WLWwFUeAnIgpJQoigKKap8O8qeoE6timN2ubsaHHieYKeS9eKrQD4mQM+GPLfV6CcbjMSRNq9ncQK1eR5Xya9MFnylkAWWGJlxal5ZD2JQ7D3OHkDt5RMqVLW9RhtVaTR/knLkyIat+8GBF524YJjr0j8VYdP12pswT5vzKDAu4XkidfT0QVsRN/GmzmVKdIaljhaVlBeWHZYbj0RCDIsf2oNCV82DliobFVyKgw1LbC3fIdokj9ChP03K0C/HuB2dx6sxneI/w/kef4+Tpc1j69Q4iUrg1nbRDNp8kCqcor03aT1Cpb+LUuasQ4pmXIfYRnn0F4sCbEHuO4MPzCxht05NyXK1SqvICK+VpSAblJadrJrx3vwJx5B2IuUPHMXfoGOZeeAN7X3wLYv9RXPjqevlqKIrySe5iMhnD8HowZAAvKciJh34cYK3WwHNHT5DCA6zsVYjnX8Oeg8eJ8CW8ffI0vln6BZe/vYH5xZuEW5i/9hO+/O5nXF78EZ9e+QGfzH+PiwtLuHTlGr5YuI6PL36NvYdfx/+wGK4WmV5fYAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7be9c75f374117e7a6f4bb8a457bd035/8ac56/image-9.webp 240w,\n/static/7be9c75f374117e7a6f4bb8a457bd035/d3be9/image-9.webp 480w,\n/static/7be9c75f374117e7a6f4bb8a457bd035/be082/image-9.webp 666w\"\n              sizes=\"(max-width: 666px) 100vw, 666px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7be9c75f374117e7a6f4bb8a457bd035/8ff5a/image-9.png 240w,\n/static/7be9c75f374117e7a6f4bb8a457bd035/e85cb/image-9.png 480w,\n/static/7be9c75f374117e7a6f4bb8a457bd035/ace37/image-9.png 666w\"\n            sizes=\"(max-width: 666px) 100vw, 666px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7be9c75f374117e7a6f4bb8a457bd035/ace37/image-9.png\"\n            alt=\"image-9.png\"\n            title=\"image-9.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Once the settings above are complete, configure WinDbg on the host machine.</p>\n<p>This is not required for kernel debugging itself, but if you want to test using a self-made device driver or similar, run the following command and then restart the OS to enable test-signing mode.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">bcdedit <span class=\"token operator\">/</span><span class=\"token function\">set</span> testsigning on</code></pre></div>\n<h3 id=\"configuring-windbg\" style=\"position:relative;\"><a href=\"#configuring-windbg\" aria-label=\"configuring windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Configuring WinDbg</h3>\n<p>On the host machine, start WinDbg with administrator privileges.</p>\n<p>For kernel-mode debugging, WinDbg must also be started with administrator privileges.\nIf it is started in user mode, kernel-mode debugging will fail with an error such as <code class=\"language-text\">Kernel debugger failed initialization, Win32 error 5 Access is denied</code>.</p>\n<p>After starting WinDbg as an administrator, select [File] > [Kernel Debug] and connect to the target machine using a named pipe as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 500px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4ee28ac0fb172f16033a6266f6071c7a/0b533/image-13.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 58.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAARlAAAEZQAGA43XUAAABdElEQVQoz52S6W6CUBCFef83UVGoCiSKaRMTdsGoD9AfdWmtstcKwilzE4220dpO8mVm7oWTWS4XRRG2YQw/SuDHKT7zDPs8R14cUJQFvltZlrhlnGObsG0bhq6foNx1XTiOA02v7gyniscwTReeO4FVxbY3hWVZGI1GmM1mmE6nzHOWaUDTdEwmk9MFQbnneRiPx5BkCbVaDTzPo9lsotHgUeeb7Kxer7OzI1wSx1iv14iiEGEYIkkS7HY77Pd7RlEUrBJBEKAoCiRJOiHL8kVOcPP5C5bLJXzfx2q1wmazQRAESNMUh8OBzUWvxtBqtdgPnU7nJtxiMQcthiphC9pufyzAMIwLwW63exXWclC1SoJUGQlSTGL/EjyvpjyPK0j4X4LHWV2zPwtmWYbX4APPqwBvQYrN+5q1T1unuWqadr8gbXA4HELuP0GQVSjqI/q9HlRVxWAwYJ4+bLfbzP8qKIoie5Ci0MKDKDBPb+6ce8WIL0AtNRYExCc0AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4ee28ac0fb172f16033a6266f6071c7a/8ac56/image-13.webp 240w,\n/static/4ee28ac0fb172f16033a6266f6071c7a/d3be9/image-13.webp 480w,\n/static/4ee28ac0fb172f16033a6266f6071c7a/b0a15/image-13.webp 500w\"\n              sizes=\"(max-width: 500px) 100vw, 500px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4ee28ac0fb172f16033a6266f6071c7a/8ff5a/image-13.png 240w,\n/static/4ee28ac0fb172f16033a6266f6071c7a/e85cb/image-13.png 480w,\n/static/4ee28ac0fb172f16033a6266f6071c7a/0b533/image-13.png 500w\"\n            sizes=\"(max-width: 500px) 100vw, 500px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4ee28ac0fb172f16033a6266f6071c7a/0b533/image-13.png\"\n            alt=\"image-13.png\"\n            title=\"image-13.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After completing this setup, click [OK]. A Command window for kernel debugging will open and begin waiting for a connection on the COM port.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">Waiting <span class=\"token keyword\">for</span> pipe \\\\<span class=\"token punctuation\">.</span>\\pipe\\com1\nWaiting to reconnect<span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span></code></pre></div>\n<p>Finally, restart the Windows machine on the target side.</p>\n<p>Then, as shown below, WinDbg connects to the target machine and the target machine starts in test mode.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 500px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5909177960178f54921d390b555c8b13/0b533/image-10.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 59.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAARlAAAEZQAGA43XUAAACu0lEQVQoz42SW0hUURSG95zxFpGWUJGYqaljVuIY5KUUK5HQxocsU0tLyKCyvBX2JkFUL0EUlpcMnehCWeB1gnzo8tBbotltAoNgTHMyndFRnNGvfQ5ZEBEd+FiHtc/511p7/cJmG8JuH2VkZISxsTFGR0dxOh1Mu1zMzMzgknF6elrDpeL6zZQ8m52dpa+vj9bWVtrb2xEDAwMMDg4yPDwshZzaj+pHHo+Hubk5/uf5MmTj+bOnGsJqtWKz2TTsdjsOh4PJyUkp5uGr/RuNzXclt7lSb+Zqwy3qm+9R13yfOvND6loeUC+pbbrD5est1Da0INxut1Zlfn7+V0XPz87631rxj9iGX1gyIjAWsSQGEbABsSwOsSJJ5uIR/jLnvw7hF0mIMQOhjrcguMDCqAMfPrE8oRARnIISth0lfAfK2gwUwy6UjXkomw6jk+ijdiFWbcGQuu/fgm+sn1iVXY6IMqFbvwdhPIiSdBxl53l0+c3oj7TjXd2LV00/IusiUZllfxdUF6IJvrMSmyaFDNkI2ZGIL8Y7tRLfvCaU6n70tRME3HOy++U8sTUWQjNOIP61yfcfB4lMMiFWp6IzmDRBr21n8M5tRKnqRVEFH01R3DtH8tlOQtKPIVTvjY+PMzExoW1XxeFw4nbP8qrvNeuTMxFBiejC0hExOYgk2UXWJUTRfZTyF/hc+Exg43d8DpmJzJTX09XVRWdnJ2q0WCwa3d3d9PQ84cbNFowpJpSV8ShBm1FCUtCvTUcfnY3eWIR+ayVKxjl0ibJIuImo7UWIjo4OFlCdrsa2tjYeP7ZQe62B6Lg0aYk1CN8QxKIw+R4hbSKts9SIWCzt4iPzvsEI71AMCXIatbs/UUXVTs3mWxwrLaO88jRlFVWUnixn/8ESCkuOkltQRG7eAbJz8snMOYBpbwEVlaf4AZpplz8gK+T/AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5909177960178f54921d390b555c8b13/8ac56/image-10.webp 240w,\n/static/5909177960178f54921d390b555c8b13/d3be9/image-10.webp 480w,\n/static/5909177960178f54921d390b555c8b13/b0a15/image-10.webp 500w\"\n              sizes=\"(max-width: 500px) 100vw, 500px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5909177960178f54921d390b555c8b13/8ff5a/image-10.png 240w,\n/static/5909177960178f54921d390b555c8b13/e85cb/image-10.png 480w,\n/static/5909177960178f54921d390b555c8b13/0b533/image-10.png 500w\"\n            sizes=\"(max-width: 500px) 100vw, 500px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5909177960178f54921d390b555c8b13/0b533/image-10.png\"\n            alt=\"image-10.png\"\n            title=\"image-10.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This completes the preparation required to perform Windows kernel debugging with WinDbg.</p>\n<h2 id=\"performing-kernel-debugging-with-windbg\" style=\"position:relative;\"><a href=\"#performing-kernel-debugging-with-windbg\" aria-label=\"performing kernel debugging with windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Performing Kernel Debugging with WinDbg</h2>\n<p>Now that WinDbg has connected to the target machine over the COM port, the environment is ready for kernel debugging.</p>\n<p>However, because the target machine’s Windows OS is currently running, you still cannot operate it from the WinDbg Command window.</p>\n<p>To proceed with kernel debugging in WinDbg, you first need to stop the Windows kernel once.</p>\n<h3 id=\"stopping-the-kernel-from-windbg\" style=\"position:relative;\"><a href=\"#stopping-the-kernel-from-windbg\" aria-label=\"stopping the kernel from windbg permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Stopping the Kernel from WinDbg</h3>\n<p>To stop the Windows kernel for kernel debugging, click the [Break] button on the toolbar at the top of WinDbg, or press [Ctrl+Break].</p>\n<p>Alternatively, you can stop it by selecting [Break] from the [Debug] menu at the top of WinDbg.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 426px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ff4901184468bdbffd12fe366e0a50f0/531e1/image-14.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 104.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAADqElEQVQ4y21Ua2/bRhDk///aD0WBfmiRAm1ToCkSoCiQBq2jxKlsvSzqQVLi+yG+RZGSLBu1prsrU3GNCFgcJN3Nzc7MnnI9mcJ3XRR5jjzLkMQxqpLWyMcqCpEXObIsQUr/lesCfuAjDCKkaYokSZDTubIs4HkB0jiCkpU1mrrBel1ht22QrBtcGTH6ZgY/ShCFITabCvEqpnWD/X6Pptni9vZW6nA44O7uDrvdHneHWygfO29x1b3EoN9H76qL3nCMkRmjp/lIskIY13RhnuWoqg3u7+/PYAzO63a7pUtqujyB8u13X+OHn37Gy1/f4MWPv+D3P97isGsQBx61FkpLMYGmaSZrkqTY1DU2VUUXVMK6KAppu9cfEuDrPr562cE3v3Xx/Z8a3nxaCBPf86DrBtQbFVN1gvlsDnWsEouI2DQCxOuJ3Rb31O5obkN51+lC1UyM50tMdBuWF6GmjWyUsVjAdVzR0fd9BH5wBquJJZsYx4kw507CKIbSvephaeiYTSewLZPEj8igNbnmYj6fkcPZqTVizWwYrAVcRREWxpLOTuXCjJxXOpddjEYjmKaFsapiNpsJgMsMqeUpxUodj+HYroC0gFx8AV/o2DbiJJYYKRcdcnjQh2EYAmxZFira7Di2gFumCV3TiMnizKwt/r4uSzLkVAyuvP9wifH4RgxYLpfUqvfYskdgFra73WeAR2dbd9flGjbt0XSdWDrStnJBgLquwSRmzEgjNrw5DANhx9Hh7y3I02KD0jQRvaNoReasoPx10UGvd40pCTscDglcl43c+oQ0ZW2F4bN225Z5TUk/y7KRsCnvP3zCiIBGoxsENKfMkseQTWHt/OBzVJ7XlkbVcz25PCTHRcO/Ox/Ru74WHQaDAQV4hl1dSSQ8Al2tVrQx/yIgPxCsNbfMYJ5HGtquj+PDg4zPngwoNw0GLgE+BlYCTTrWTwLdasph5nNcbBBfoExmGvjDr4VB5rzr/INX6gYm5c4k1zku5tIUBlmeyVoU5f+0ZElESwY0HQ8PD//KD8zGJj0Ou1r05GyyRgzIITdpkjRNl9Z4f/UkRlyi4WRuEL+jpL59jiqJTUjhdk7RIT0beQSaM5vnevJvfEZZWo60fDweH1vfnUdPoxfGorEqKeithl/K43m2yUClN7yhw460x5PCK7OI6U+bsuXT087mcLVhfp7HlnFEnSgLYsiTElDemDKD8mFD5xdoJprxA8Hv4cnx076nxUD8H0v0HysIC+BNy+NRAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ff4901184468bdbffd12fe366e0a50f0/8ac56/image-14.webp 240w,\n/static/ff4901184468bdbffd12fe366e0a50f0/dca0e/image-14.webp 426w\"\n              sizes=\"(max-width: 426px) 100vw, 426px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ff4901184468bdbffd12fe366e0a50f0/8ff5a/image-14.png 240w,\n/static/ff4901184468bdbffd12fe366e0a50f0/531e1/image-14.png 426w\"\n            sizes=\"(max-width: 426px) 100vw, 426px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ff4901184468bdbffd12fe366e0a50f0/531e1/image-14.png\"\n            alt=\"image-14.png\"\n            title=\"image-14.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After the following output appears, you can operate WinDbg from the Command window.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">Connected to Windows 10 10586 x64 target at <span class=\"token punctuation\">(</span>Mon Oct  4 17:32:25<span class=\"token punctuation\">.</span>121 2021 <span class=\"token punctuation\">(</span>UTC <span class=\"token operator\">+</span> 9:00<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> ptr64 TRUE\nKernel Debugger connection established<span class=\"token punctuation\">.</span>\nSymbol search path is: srv*\nExecutable search path is: \nWindows 10 Kernel Version 10586 <span class=\"token function\">MP</span> <span class=\"token punctuation\">(</span>1 procs<span class=\"token punctuation\">)</span> Free x64\nEdition build lab: 10586<span class=\"token punctuation\">.</span>162<span class=\"token punctuation\">.</span>amd64fre<span class=\"token punctuation\">.</span>th2_release_sec<span class=\"token punctuation\">.</span>160223-1728\nMachine Name:\nKernel base = 0xfffff803`5280b000 PsLoadedModuleList = 0xfffff803`52ae9cd0\nSystem Uptime: 0 days 0:00:00<span class=\"token punctuation\">.</span>121\nKDTARGET: Refreshing KD connection\n<span class=\"token keyword\">Break</span> instruction exception <span class=\"token operator\">-</span> code 80000003 <span class=\"token punctuation\">(</span>first chance<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span>                                                                             <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span>   You are seeing this message because you pressed either                    <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span>       CTRL+C <span class=\"token punctuation\">(</span><span class=\"token keyword\">if</span> you run console kernel debugger<span class=\"token punctuation\">)</span> or<span class=\"token punctuation\">,</span>                       <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span>       CTRL+<span class=\"token keyword\">BREAK</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">if</span> you run GUI kernel debugger<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>                          <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span>   on your debugger machine's keyboard<span class=\"token punctuation\">.</span>                                      <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span>                                                                             <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span>                   THIS IS NOT A BUG OR A SYSTEM CRASH                       <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span>                                                                             <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span> <span class=\"token keyword\">If</span> you did not intend to <span class=\"token keyword\">break</span> into the debugger<span class=\"token punctuation\">,</span> press the <span class=\"token string\">\"g\"</span> key<span class=\"token punctuation\">,</span> then   <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span> press the <span class=\"token string\">\"Enter\"</span> key now<span class=\"token punctuation\">.</span>  This message might immediately reappear<span class=\"token punctuation\">.</span>  <span class=\"token keyword\">If</span> it <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span> does<span class=\"token punctuation\">,</span> press <span class=\"token string\">\"g\"</span> and <span class=\"token string\">\"Enter\"</span> again<span class=\"token punctuation\">.</span>                                          <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span>                                                                             <span class=\"token operator\">*</span>\n<span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span>\nnt!DbgBreakPointWithStatus:\nfffff803`52952eb0 cc              int     3</code></pre></div>\n<h3 id=\"displaying-a-list-of-modules-in-kernel-mode-debugging\" style=\"position:relative;\"><a href=\"#displaying-a-list-of-modules-in-kernel-mode-debugging\" aria-label=\"displaying a list of modules in kernel mode debugging permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Displaying a List of Modules in Kernel-Mode Debugging</h3>\n<p>Even in kernel-mode debugging, the basic operations performed from the Command window are almost the same as the user-mode debugging introduced in <a href=\"/windows-windbg-002-tutorial-en\">this article</a>.</p>\n<p>As a quick test, I ran the <code class=\"language-text\">lm</code> command to output a list of the loaded modules.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1d792de8449ddeac48b488e2dd683b09/1134b/image-12.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 77.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB9ElEQVQ4y62TaXObQAyG+f9/qtNPPdIG2OVawuX6xE7ABgzG11tpfYzTZuqmU808s9ICL9JKa1jSw8Oj1AhXwRQBvpkubCeEG2ZwgggqzhASKrohvoHi4CmF8kMYHz6Z+PhF4LOlYKsB5NOQGEGEQ5hBBksz0M8c2j89/x0nGuHhqw0jjkIMshT5bIri5RnVaol+02G37YHjAdou6x0rVxUMpRSyLEOapphOp8jzHIvFAquqQtu2OBxOYsfjkXzi+Abnd/LFM4zRaKTFkiShNUNCflEU2O126LoOm83mKvgn2OYs+EJlclaTyYTWGRbzuRZsmkYL9n2Pv7WqWcNI4hjD4RBlWaIol3QONeq6RkUlM5zhfr/XGf/Kdru9wnHTdjCiKEJM5WZJhGS6QjavdZNYhM+GM+QPeGX4B5eY/QscVzVlaNs2PM+HFBa8wQuS2Qqh72J/OOC9tm43MBxHIggUfFfC/1HAH9c0qIkum7O814zbppwFHRIM4JFgNC4QTip4KsJ6vdYlv0+QzlDKU4aeIxCOl0jzGpHy8S/Wdj0MIQSdoQdXCrjxBDKZ0Z30aHTKV92+B1+Cckk3paGPeN544wKXy7zydXzmvHcLd1qPDf6zGUI6cFwP8g2u+w75NFqeH2jYt2yJR9M+YdmwhcR3U+AnWWa+Jd832uIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1d792de8449ddeac48b488e2dd683b09/8ac56/image-12.webp 240w,\n/static/1d792de8449ddeac48b488e2dd683b09/d3be9/image-12.webp 480w,\n/static/1d792de8449ddeac48b488e2dd683b09/e46b2/image-12.webp 960w,\n/static/1d792de8449ddeac48b488e2dd683b09/f992d/image-12.webp 1440w,\n/static/1d792de8449ddeac48b488e2dd683b09/bb6b4/image-12.webp 1470w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1d792de8449ddeac48b488e2dd683b09/8ff5a/image-12.png 240w,\n/static/1d792de8449ddeac48b488e2dd683b09/e85cb/image-12.png 480w,\n/static/1d792de8449ddeac48b488e2dd683b09/d9199/image-12.png 960w,\n/static/1d792de8449ddeac48b488e2dd683b09/07a9c/image-12.png 1440w,\n/static/1d792de8449ddeac48b488e2dd683b09/1134b/image-12.png 1470w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1d792de8449ddeac48b488e2dd683b09/d9199/image-12.png\"\n            alt=\"image-12.png\"\n            title=\"image-12.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Next, run <code class=\"language-text\">x nt!MmCreate*</code> to retrieve some of the symbols in the nt module.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">kd> x nt!MmCreate*\nfffff803`52bd46ac nt!MmCreateTeb <span class=\"token punctuation\">(</span>MmCreateTeb<span class=\"token punctuation\">)</span>\nfffff803`52c5733c nt!MmCreatePeb <span class=\"token punctuation\">(</span>MmCreatePeb<span class=\"token punctuation\">)</span>\nfffff803`528ecfb8 nt!MmCreateMdl <span class=\"token punctuation\">(</span>MmCreateMdl<span class=\"token punctuation\">)</span>\nfffff803`528a5fc8 nt!MmCreateSystemSection <span class=\"token punctuation\">(</span>MmCreateSystemSection<span class=\"token punctuation\">)</span>\nfffff803`52c08c40 nt!MmCreateSection <span class=\"token punctuation\">(</span>MmCreateSection<span class=\"token punctuation\">)</span>\nfffff803`52c4a2fc nt!MmCreateProcessAddressSpace <span class=\"token punctuation\">(</span>MmCreateProcessAddressSpace<span class=\"token punctuation\">)</span>\nfffff803`52c08d30 nt!MmCreateCacheManagerSection <span class=\"token punctuation\">(</span>MmCreateCacheManagerSection<span class=\"token punctuation\">)</span>\nfffff803`52c88c8c nt!MmCreateSpecialImageSection <span class=\"token punctuation\">(</span>MmCreateSpecialImageSection<span class=\"token punctuation\">)</span>\nfffff803`5281cda0 nt!MmCreateKernelStack <span class=\"token punctuation\">(</span>MmCreateKernelStack<span class=\"token punctuation\">)</span>\nfffff803`52e2e838 nt!MmCreateMirror <span class=\"token punctuation\">(</span>MmCreateMirror<span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"setting-a-breakpoint-in-a-kernel-module\" style=\"position:relative;\"><a href=\"#setting-a-breakpoint-in-a-kernel-module\" aria-label=\"setting a breakpoint in a kernel module permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Setting a Breakpoint in a Kernel Module</h3>\n<p>Next, run <code class=\"language-text\">bu nt!MmCreateProcessAddressSpace</code> to set a breakpoint.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">kd> bu nt!MmCreateProcessAddressSpace\nkd> bl\n     0 e Disable Clear  fffff803`52c4a2fc     0001 <span class=\"token punctuation\">(</span>0001<span class=\"token punctuation\">)</span> nt!MmCreateProcessAddressSpace</code></pre></div>\n<p>If you run the <code class=\"language-text\">g</code> command here to resume execution of the Windows kernel, each time a new process starts the configured breakpoint causes the kernel to stop and switch into WinDbg debugging mode.</p>\n<p>For example, this time I launched Microsoft Edge on the target machine.\nBecause <code class=\"language-text\">nt!MmCreateProcessAddressSpace</code> was called as part of the new-process startup path, the kernel stopped and debugging became possible in WinDbg.</p>\n<p>From here, WinDbg can step through Windows kernel processing, display stack traces, rewrite registry information, and perform other operations.</p>\n<p>The image below shows the state after stepping execution forward until Microsoft Edge is in the middle of starting up and then outputting a stack trace.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 500px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4971cbcbb8730b99f99fd16584f1a897/0b533/image-15.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 65.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAARlAAAEZQAGA43XUAAADCElEQVQ4y32Sa2hTZxjHX9aKOrygHQ76XfwgXkA7cIidNa013ot2Tu2F2mlTp9YLVRHRwawtVhG8tV5WrZPJsurWffLzGCKbdDPNSZpLkxMTk5MmNuklvfe395z4QVF84M/7f98DP57/cx7xT0cHXS4vnUoXTpcHxeHGLuWQb/rd7fV9UF3y26uwhqW6BiGmMnX6XDIyP0U8ffY3iqsbh7sbj+8lXjVIIKQR0uJoscQb9b7l0wpHXzMwNMp3h2olcCYzZmUzTUKF0+kgEFB5FQoRjWr0RKOMDA8xPj7Gx2pyctI4Dx87JYEZiE/myHM6Qg0ECIfD+P1+VFUlHImQSqUYGh5mdHRUaozhN35iYuI98C/W39lVso/KfQcpr6hCKIpCMBgkIkHxeJxEIkFvby+vpfS6fd+KubiSbeXV5Jq/oWBrGWuLKigotlCwfS/rd1SxZdd+Nu+0sLnkAKLb5yfZn6K/v5+RkREZddzoJpUaMoAn65sRs5ZiqmrAcvUJpfVtlDY8pqzxD8outFPS0MbuOqt8e8TsxRsRHS/sRDWNZF+fAdPj6TU2no539k47YsEGltX+xiZrisK7EQrvRTG3apjvR1jXmtaGn+N8bj6B+NfmQPX7jPnpkfX4uk8kkwbw+yt3JdDMoiNtrG0JknfdxZomD6uuu/nqhtvwefLMv+Una2s94j+bQigURJNdDg4OGlBdAwODBrDu4jUysnMk8FfZWVgC3OTe8LL/UZCvf1INb2r2UnBH5bONZxHPnr/A3mnDZrMZnTmdTlwulzFTvX641ISYt4RFNQ/fAVZaX7Kt1S+7fAu45TzCrjiJxWLyL8sd7ImRlFH1TvXV0etc4xWmzFvI4kMPjFnpwPybXgmVUWVc3ZuaPWmgWe6kpkU/usCXr7WQOWc+86taMN3rMbrLbfKx+qbK6ltq+mz2s+bHEFm5FsRffz7FYe+iU87S3ulAkV6/697r8XH6TB05X+axfk8tRUcayf/2DPnVdawsPc4XxYdZvr2GnOKjrNh9ghxTEf8DP8EcKp4eO4EAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4971cbcbb8730b99f99fd16584f1a897/8ac56/image-15.webp 240w,\n/static/4971cbcbb8730b99f99fd16584f1a897/d3be9/image-15.webp 480w,\n/static/4971cbcbb8730b99f99fd16584f1a897/b0a15/image-15.webp 500w\"\n              sizes=\"(max-width: 500px) 100vw, 500px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4971cbcbb8730b99f99fd16584f1a897/8ff5a/image-15.png 240w,\n/static/4971cbcbb8730b99f99fd16584f1a897/e85cb/image-15.png 480w,\n/static/4971cbcbb8730b99f99fd16584f1a897/0b533/image-15.png 500w\"\n            sizes=\"(max-width: 500px) 100vw, 500px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4971cbcbb8730b99f99fd16584f1a897/0b533/image-15.png\"\n            alt=\"image-15.png\"\n            title=\"image-15.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"wrap-up\" style=\"position:relative;\"><a href=\"#wrap-up\" aria-label=\"wrap up permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Wrap-up</h2>\n<p>This time, I introduced how to configure kernel debugging with WinDbg and some basic operations.</p>\n<p>I plan to cover troubleshooting techniques that use kernel debugging in a different article.</p>\n<p>For other information I have published about Windows debugging and dump analysis with WinDbg, see the list on the page below.</p>\n<p>Reference: <a href=\"/windows-windbg-001-index-en\">Debugging and Troubleshooting Techniques with WinDbg</a></p>","fields":{"slug":"/windows-windbg-004-kernel-debug-en","tagSlugs":["/tag/win-dbg-en/","/tag/kernel-en/","/tag/reversing-en/","/tag/english/"]},"frontmatter":{"date":"2021-10-06","description":"How to set up kernel-mode debugging with WinDbg on Windows 10 using Hyper-V or VirtualBox, and perform basic kernel debugging operations.","tags":["WinDbg (en)","Kernel (en)","Reversing (en)","English"],"title":"First Steps for Kernel Debugging a Windows 10 Environment with WinDbg","socialImage":{"publicURL":"/static/e155911f0b081dbeea1b753c64f1bb79/windows-windbg-004-kernel-debug.png"}}}},"pageContext":{"slug":"/windows-windbg-004-kernel-debug-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}