( Log Out /  sort by address

Displays Application Verifier options. It can be placed any where as long as you reference it via the path. When executing a near call, the processor pushes the value of the EIP register (which contains the offset of the instruction following the CALL instruction) onto the stack (for use later as a return-instruction pointer). For an explanation of the possible, Creates a smart client, and connects to a process server that is already running. kp ... Causes the symbol handler to ignore the CV record. MT Count TotalSize Class Name The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, to analyze crash dumps, and to examine the CPU registers while the code executes. Dump only specified registers (i.e. Reload symbol information for all modules**

q = qword (8b) From WinDbg's command line do a !heap -p -a [UserAddr], where [UserAddr] is the address of your allocation ***. ( Log Out /  [Command] ), .effmach .load C:\Program Files\dotnet\shared\Microsoft.NETCore.App\2.2.1\sos.dll, !DumpHeap -stat exception log ]Name Field [Field] Thread = thread from which the registers are to be read (i.e. With the $$ token or the * token the debugger will ignore the inputted text without echoing it. sxd bp [Addr] ["CmdString"]

a = ascii string Other calls to SetLastError are redirected to a function located in NTDLL.DLL, RtlSetLastWin32Error. List heaps with index and range (= startAddr(=HeapAddr), endAddr) 00007fff38f84a30 2 65584 MemoryLeaker.MyData[] This post shows WinDBG commands to analyse SQL queries produced by application. q = qword (8b) Causes the debugger to turn off C++ translation. [~Thrd] bp[#] [Options] [Addr] [Passes] ["CmdString"], Set breakpoint at address First thank you for compiling this document , it is very good. Specify module inclusion/exclusion list.

Transform data into actionable insights with dashboards and reports. Name: MemoryLeaker.MyData Dump usage statistic for every AllocSize [HeapHandle = given heap | 0 = all heaps]. 00007fff38dd6668 6764 162336 MemoryLeaker.MyData -cs -a ADDR Passes = Activate breakpoint after #Passes (it is ignored before), Set unresolved breakpoint. -hp N Compares Range to all saved memory ranges !dlls -c ModuleAddr Type = data format in which to display the register (i.e. .holdmem -c Range Display . For more information see Choosing the 32-Bit or 64-Bit Debugging Tools. wt -nc .. [~Thrd] bm [Options] SymPattern [#Passes] ["CmdString"].

MEX!sqlcmd finds all SQL commands & their state & executing thread: All SQL commands found in snapshot. .reload [/f | /v] Module. This command is equivalent to ed or eq, depending on whether the target computer's processor architecture is 32-bit or 64-bit, respectively. TebAddr = specify thread; if omitted, the current thread is used, display thread times (user + kernel mode), display information about time consumed by each thread (0-user time, 1-kernel time, 2-time elapsed since thread creation). Details of all allocations in all heaps in the process.

Show all sync blocks that are owned by the current thread but not thinlocks, use !DumpHeap -thinlock, Displays deadlocks between SyncBlocks and/or ReaderWriterLocks, only managed (sosex), Get critical sections that threads are locked on (sieextpub), Lists all managed lock objects and CriticalSections and their owning threads (sosex), Lists all waiting threads and, if known, the locks they are waiting on (sosex), Displays all RWLocks or, if provided a RWLock address, details of the specified lock (sosex), Show data on the handle, if mutex or event can show the owner (procId.ThreadId), Displays a disassembly around the current instruction with interleaved source, IL and asm code (sosex), Displays a disassembly with interleaved source, IL and asm code (sosex). Download the mex.exe archive. For troubleshooting .NET (Core) memory or performance issues, there’re a lot of free or commercial tools available. notify; don't break The -length option specifies how many elements to show.

!logc [e|d] # [#] [#], List all categories Loading stuff .loadby sos mscorwks Load SOS extension (will identify sos location by loaded mscorwks path) .load c:\Windows\Microsoft.NET\Framework\v2.0.50727\sos Load SOS extension for .NET 2.0 .load psscor2 Load PSSCOR… .reload [/f | /v] .expr /q -b = Dump only contiguous block of struct Set c++ as the default expression evaluator b = byte Search for potentially leaked heap blocks, !heap Heap -b [alloc | realloc | free] [Tag] Searches ADDR in the critical section delete log. ~Number [Command] Windows 10, Windows 7, Windows 8, Windows Server 2008, Windows Server 2012. !analyze -f. Display information about the current exception or bug check; verbose x /z .. .help /D a*, Display . ~# e CommandString An owner thread call stack would show where the query is coming from. Starts a kernel debugging session using an EXDI driver. HeapHandle = value returned by HeapCreate or GetProcessHeap, Dump usage statistic for HeapHandle = 00150000, Breakpoint on HeapAlloc calls with TAG=mtag in heap with index 2, Details of heap allocation containing address 014c6fb0 + call-stack if available, Dump details of all allocations in all heaps in the process, Discoverability of debugger and extension functionality, Builds a code flow graph for the function starting at the given start address (similar to uf), Shows the basic block given the target address plus links to referring blocks and blocks referred to by the current block, when looking at a corrupted stack to determine which procedure made a call, The first parameter to LoadLibrary (at address, Our kernel32!LoadLibraryExW breakpoint will hit only if the pattern compared by, Right at a function’s entry point the value found on the top of the stack contains the return address, DriverEntry has 2x4 byte parameters = 8 bytes + 4 bytes for the return address = 0xC, WinMain has 4x4 byte parameters = 0x10 bytes + 4 bytes for the return address = 0x14, CreateHeap -> creates a _DPH_HEAP_ROOT (+ _HEAP + 2x _HEAP_ENTRY)**, Select "Create user mode stack trace database" for your image in GFlags (gflags.exe /i MyApp.exe +ust).
Change ), You are commenting using your Google account. Enable logging + possibly initialize it if not yet done. wt -oR .. dp* reset filter settings to default values, display most recent exception record -dlls N This mask controls how registers are displayed by the "r".

s -[Flags]q Range 'Pattern' ( Log Out /  HeapAlloc, HeapFree, new, and delete log Change ), Production Debugging: A story about “Exception code: 0xe053534f” - Fog Creek Blog, Production Debugging: A story about “Exception code: 0xe053534f” - SkyOffice Consulting | SkyOffice Consulting, Uncovering a Memory Leak using WinDbg | Steve's Programming Blog, Load SOS extension (will identify sos location by loaded mscorwks path), .load c:\Windows\Microsoft.NET\Framework\v2.0.50727\sos, Latest extension commands help (SOS,SOSEX,PSSCOR), Like !help but for specifically for SOSEX, Display this screen or details about the specified command (SOSEX), Run dumpstack on all threads and show only ‘interesting’ (lock, hijacked, managed), unmanaged and managed call stack, better than !dumpheap (sosex), Unmanaged stack with arguments (kb4 limits stack to 4 frames), Unmanaged stacks without duplication, nice if have many worker threads, !dso [-verify] [top stack [bottom stack]], Objects stack trace (the actual object type and not where the method is), !mdso [/a | /r | /c:n | /t: | /mt:], Dumps object references on the stack and in CPU registers in the current context, !name2ee mscorlib.dll System.Threading.Thread. f = force immediate symbol load (overrides lazy loading); v = verbose mode

remove option, .symfix
The ObjSize command includes the size of all child objects in addition to the parent. .reload /f @"C:\WINNT\System32\verifier.dll". Override the autodetect behavior and set the target bitness for the debugger. !findstack Symbol [0|1|2] u = Unicode string Size: 24(0x18) bytes

-v = Verbose output.

w = search only writable memory a = sort by Addr, n = sort by name, z = sort by size. Ignores the initial breakpoint in target application.