I am new to windbg and windows debugging.
Can anybody let me know whats the difference between kernel mode debugging and user mode debugging?
Kernel mode debugging relies on 2 systems and an interconnect such as serial
or 1394. With kernel mode debugging you can debug drivers and the
applications that call them.
User mode debugging runs on one system to debug another process.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@windbg…
>I am new to windbg and windows debugging.
> Can anybody let me know whats the difference between kernel mode debugging
> and user mode debugging?
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4818 (20100129)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4818 (20100129)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Thanks Don for the reply.
But if I debug a driver running on my system itself then will not be a kernel mode debugging?
Is it necessary to have two systems one running a driver and the other running debugger?
Also worth mentioning that the command set can be very different for user
mode and kernel mode debugging. For example, in a kernel debug session you
change threads with the the .thread command, in user mode you use the ~s
command. Makes it tricky to move back and forth, though you get used to it.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Don Burn” wrote in message news:xxxxx@windbg…
> Kernel mode debugging relies on 2 systems and an interconnect such as
> serial or 1394. With kernel mode debugging you can debug drivers and
> the applications that call them.
>
> User mode debugging runs on one system to debug another process.
>
>
>
> –
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> wrote in message news:xxxxx@windbg…
>>I am new to windbg and windows debugging.
>> Can anybody let me know whats the difference between kernel mode
>> debugging and user mode debugging?
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4818 (20100129)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4818 (20100129)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
Yes it is nessecary to have two systems (or at least 2 virtual machines) to
debug a driver. Windbg does not provide a way to debug a driver on a
single system, and solutions that have in the past offerred this
destabilized the system.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@windbg…
> Thanks Don for the reply.
> But if I debug a driver running on my system itself then will not be a
> kernel mode debugging?
> Is it necessary to have two systems one running a driver and the other
> running debugger?
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4818 (20100129)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4818 (20100129)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Thanks Don and scott for the information.
2 virtual machines? You mean a “real” machine running a vm.
On Fri, Jan 29, 2010 at 11:08 AM, Don Burn wrote:
> Yes it is nessecary to have two systems (or at least 2 virtual machines) to
> debug a driver. Windbg does not provide a way to debug a driver on a
> single system, and solutions that have in the past offerred this
> destabilized the system.
>
>
> –
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> wrote in message news:xxxxx@windbg…
> > Thanks Don for the reply.
> > But if I debug a driver running on my system itself then will not be a
> > kernel mode debugging?
> > Is it necessary to have two systems one running a driver and the other
> > running debugger?
> >
> >
> >
> > Information from ESET NOD32 Antivirus, version of virus
> > signature database 4818 (20100129)
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
> >
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4818 (20100129)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
I mean a real machine running a hypervisor with 2 virtual machines under it.
That is the only way I know of to use windbg effectively in a single machine
environment.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Jim Donelson” wrote in message news:xxxxx@windbg…
>2 virtual machines? You mean a “real” machine running a vm.
>
> On Fri, Jan 29, 2010 at 11:08 AM, Don Burn wrote:
>
>> Yes it is nessecary to have two systems (or at least 2 virtual machines)
>> to
>> debug a driver. Windbg does not provide a way to debug a driver on a
>> single system, and solutions that have in the past offerred this
>> destabilized the system.
>>
>>
>> –
>> Don Burn (MVP, Windows DKD)
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>>
>> wrote in message news:xxxxx@windbg…
>> > Thanks Don for the reply.
>> > But if I debug a driver running on my system itself then will not be a
>> > kernel mode debugging?
>> > Is it necessary to have two systems one running a driver and the other
>> > running debugger?
>> >
>> >
>> >
>> > Information from ESET NOD32 Antivirus, version of virus
>> > signature database 4818 (20100129)
>> >
>> > The message was checked by ESET NOD32 Antivirus.
>> >
>> > http://www.eset.com
>> >
>> >
>> >
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4818 (20100129)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4818 (20100129)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4818 (20100129)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Don Burn wrote:
I mean a real machine running a hypervisor with 2 virtual machines under it.
That is the only way I know of to use windbg effectively in a single machine
environment.
Well, picking nits, it is possible to run WinDbg on the real machine and
debug a system in a VM. Your proposal might turn out to be the better
practice – I don’t think the industry has yet established a set of
“best practices” for managing VMs.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
I always run WinDBG on the host, not sure what the advantage of running it
in another VM would be. In fact, you lose the ability to run VirtualKD,
which makes using two VMs disadvantageous.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Tim Roberts” wrote in message news:xxxxx@windbg…
> Don Burn wrote:
>> I mean a real machine running a hypervisor with 2 virtual machines under
>> it.
>> That is the only way I know of to use windbg effectively in a single
>> machine
>> environment.
>>
>
> Well, picking nits, it is possible to run WinDbg on the real machine and
> debug a system in a VM. Your proposal might turn out to be the better
> practice – I don’t think the industry has yet established a set of
> “best practices” for managing VMs.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
I never tried that, did not know it even worked. We run windbg 32 bit on a
64 bit machine to connect to a 32 bit vm.
(or, windbg 64 bit to connect to a 64 bit vm).
On Fri, Jan 29, 2010 at 2:40 PM, Don Burn wrote:
> I mean a real machine running a hypervisor with 2 virtual machines under
> it.
> That is the only way I know of to use windbg effectively in a single
> machine
> environment.
>
>
> –
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> “Jim Donelson” wrote in message news:xxxxx@windbg…
> >2 virtual machines? You mean a “real” machine running a vm.
> >
> > On Fri, Jan 29, 2010 at 11:08 AM, Don Burn wrote:
> >
> >> Yes it is nessecary to have two systems (or at least 2 virtual machines)
> >> to
> >> debug a driver. Windbg does not provide a way to debug a driver on a
> >> single system, and solutions that have in the past offerred this
> >> destabilized the system.
> >>
> >>
> >> –
> >> Don Burn (MVP, Windows DKD)
> >> Windows Filesystem and Driver Consulting
> >> Website: http://www.windrvr.com
> >> Blog: http://msmvps.com/blogs/WinDrvr
> >>
> >>
> >> wrote in message news:xxxxx@windbg…
> >> > Thanks Don for the reply.
> >> > But if I debug a driver running on my system itself then will not be a
> >> > kernel mode debugging?
> >> > Is it necessary to have two systems one running a driver and the other
> >> > running debugger?
> >> >
> >> >
> >> >
> >> > Information from ESET NOD32 Antivirus, version of virus
> >> > signature database 4818 (20100129)
> >> >
> >> > The message was checked by ESET NOD32 Antivirus.
> >> >
> >> > http://www.eset.com
> >> >
> >> >
> >> >
> >>
> >>
> >>
> >> Information from ESET NOD32 Antivirus, version of virus
> >> signature database 4818 (20100129)
> >>
> >> The message was checked by ESET NOD32 Antivirus.
> >>
> >> http://www.eset.com
> >>
> >>
> >>
> >>
> >>
> >> —
> >> WINDBG is sponsored by OSR
> >>
> >> For our schedule of WDF, WDM, debugging and other seminars visit:
> >> http://www.osr.com/seminars
> >>
> >> To unsubscribe, visit the List Server section of OSR Online at
> >> http://www.osronline.com/page.cfm?name=ListServer
> >>
> >
> >
> >
> > Information from ESET NOD32 Antivirus, version of virus
> > signature database 4818 (20100129)
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4818 (20100129)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Actually, Windbg doesn’t have to match the system under debug, unless you’re
trying to debug Windows 2000. It will happily work against a machine
running a different word size.
If you’re trying to debug Windows 2000, you need the 32-bit version of
Windbg.
–
Jake Oshins
Hyper-V I/O Architect
Windows Kernel Group
This post implies no warranties and confers no rights.
“Jim Donelson” wrote in message news:xxxxx@windbg…
I never tried that, did not know it even worked. We run windbg 32 bit on a
64 bit machine to connect to a 32 bit vm.
(or, windbg 64 bit to connect to a 64 bit vm).
On Fri, Jan 29, 2010 at 2:40 PM, Don Burn wrote:
I mean a real machine running a hypervisor with 2 virtual machines under it.
That is the only way I know of to use windbg effectively in a single machine
environment.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Jim Donelson” wrote in message news:xxxxx@windbg…
>2 virtual machines? You mean a “real” machine running a vm.
>
> On Fri, Jan 29, 2010 at 11:08 AM, Don Burn wrote:
>
>> Yes it is nessecary to have two systems (or at least 2 virtual machines)
>> to
>> debug a driver. Windbg does not provide a way to debug a driver on a
>> single system, and solutions that have in the past offerred this
>> destabilized the system.
>>
>>
>> –
>> Don Burn (MVP, Windows DKD)
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>>
>> wrote in message news:xxxxx@windbg…
>> > Thanks Don for the reply.
>> > But if I debug a driver running on my system itself then will not be a
>> > kernel mode debugging?
>> > Is it necessary to have two systems one running a driver and the other
>> > running debugger?
>> >
>> >
>> >
>> > Information from ESET NOD32 Antivirus, version of virus
>> > signature database 4818 (20100129)
>> >
>> > The message was checked by ESET NOD32 Antivirus.
>> >
>> > http://www.eset.com
>> >
>> >
>> >
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4818 (20100129)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4818 (20100129)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature
database 4818 (20100129)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Why is that the case for w2k, Jake? Is it the same/similar reason that windbg wk2 extensions come/came in chk and free flavors?
Thanks,
mm
The few times I have used a VM with WinDBG it was VmWare ESX so there is no
way to run WinDBG on the real machine, it is running the hypervisor which is
not Windows. It had to be VM to VM. Mostly I still stick with two
independant systems.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Tim Roberts” wrote in message news:xxxxx@windbg…
> Don Burn wrote:
>> I mean a real machine running a hypervisor with 2 virtual machines under
>> it.
>> That is the only way I know of to use windbg effectively in a single
>> machine
>> environment.
>>
>
> Well, picking nits, it is possible to run WinDbg on the real machine and
> debug a system in a VM. Your proposal might turn out to be the better
> practice – I don’t think the industry has yet established a set of
> “best practices” for managing VMs.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4818 (20100129)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4818 (20100129)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
The underlying reason is the same.
Prior to Windows XP, debugger extensions were compiled with the headers of
the driver or other component under test. The way you traversed structures
in the extension was to fetch memory from the target and then cast it to a
struct. This worked badly up to that point, and it required that the target
match the extension, both in checked/free and in architecture. There were
separate extension DLLs for x86, Alpha, MIPS and PowerPC, checked and free.
The only good part was that you didn’t need working symbols for !irp, or any
other extension. You just needed to have a pointer to the struct.
At Windows XP, mostly as part of the port to 64-bit, the debugger team built
a framework for a new extension model, one where the extension code never
includes the headers from the component under test. Instead, the extensions
look up the structures from the symbol tables, programmatically walking
through things.
The upside is that the debugger doesn’t have to match the target. If the
symbols are correct, the debugger extension is correct. The downside is
that you need to get your symbols right. The further downside is that
engineers within Microsoft can forget to test the debugger extensions to see
if they still work with stripped symbols. (We almost always use full
symbols internally.) If the debugger extensions need private symbols,
there’s a way to enumerate specific symbols that need to be added back to
the stripped PDB as part of the Windows build process.
–
Jake Oshins
Hyper-V I/O Architect
Windows Kernel Group
This post implies no warranties and confers no rights.
wrote in message news:xxxxx@windbg…
> Why is that the case for w2k, Jake? Is it the same/similar reason that
> windbg wk2 extensions come/came in chk and free flavors?
>
>
> Thanks,
>
> mm
>
Thanks, Jake.
mm