Enable verbose output for sympath command

!sym noisy

Fix symbol and source path and append the specified path to the existing symbol path. the fix commands are specially useful when debugging checked binaries



.sympath+ D:\Binaries\Syms.pri\

Enable tracing source line-by-line


Tracing source executing step-by-step (will step though line-by-line if the above command has been executed)


Stepping over a function execution


Execute code until the next subroutine call


Continue execution until the current function finishes


Continue execution after a break point


Get error code message

!error 0x0070005

!error 5
Get registry values


!dreg Software\Microsoft\Windows NT\CurrentVersion\aeDebug!*


.hh <topic>
Look at the contents of a memory location

dd 0x72726f43

Show the contents of an instance pointer

da 0x72726f43

Other useful commands to dump out memory locations

dc 0x72726f43
du 0x72726f43

dds 0x72726f43

dpp 0x72726f43

dpa 0x72726f43

dpu 0x72726f43

If the memory content is small (in a multiple of 4) it might be a handle. dump it with

!handle 0x72726f43

Show the information about the last API call error


Get return value of a function for x64 (first command), x86 (second command)

r rax

r eax
Break on write for memory address "00000039`f82ab0b8" (size 1byte)

ba w 1 00000039`f82ab0b8

Symbols are also loaded using the following environment variables (in order)
loaded modules
show loaded modules:


show specific module (verbose). Note that you can't specify the extension.

lm v m *myModuleName*

look at loaded symbols with 'x module!symbol' command note that you can use wild cards
Look at why debugger stopped



Show register values


display eax register


Change eax register


change the register mask used by r command


important psudo registers
$ip = Instruction pointer register
$csp = The current stack pointer
$ra = the return address fro the current function
$retreg = function return value register
display the call stack


display the parameters of the past three functions

kp 3

Break Point 
To make sure your module is loaded set an exception break point for when you module is loaded

sxe ld mybinaryfile_without_extension

Note that you can load all modules by running the following command (you can use module name instead (or with combination) of the wild card), but that may not always load all modules so you may have to use the above command

ld *

Now you can load the source and press F9 on the line you are interested in or you can set a break point using (note that you can use wildcards for the function name with bm)

bm mybinaryfile_without_extension!*myFunction*

set a breakpoint for all threads on Fibonacci function in KBTest and execute resp (note that you need to use 'bu' if the module is not already loaded)

bp myexe!KBTest::Fibonacci "resp"

now do the same thing for thread 0 only

~0 bp myexe!KBTest::Fibonacci "resp"

Clear all breakpoints

bc *

show local variables


show local variables matching a pattern

dv myExe!m*v*

Show the object type for 'this'

dt this

find the type of memory allocation an address represents (stack, heap, etc..). Note '.' is the current execution address. If no location is provided it enumerates all memory zones.

!address .
!address @esp
!address 0070000


 The information on with what parameters and environment variables the current debug session has been started can be found in process environment block (PEB)


Use binplace.exe to extract public symbols from private symbol files provided by the compiler. And store the public/private symbol file and the binary file in specific locations. (more useful to run in a script. but for large projects use symstore.exe)


Note that when binplace creates the public symbol files it modifies the header of the binary file and changes the original symbol file location.
Get debug directory information from a binary file header using link.exe.

link -dump -headers c:\mybin.exe

Create public/private symbol store for automatic management


Extract source file/server information from symbol files (pdb).


Change current stack pointer (64-bit)

r rip=000007fe`c60bba6c

Enable Kernel Debugging:
Vista and above:

bcdedit /set debug on

Pre Vista:

Bootcfg /debug ON /port COM1 /ID 1

Kernel Objet Commands:

Get name of driver object

kd> !drvobj <name of module>

List all driver objects

!object \Driver

Viewing a device object in the kernel

dt nt!_DRIVER_OBJECT 0x827e3698

Get device object information

kd> !devobj <name of device>

 Then used the handle returned from the above command (e.g. Device object (826eb030) is for:) to see what use-mode processes have handles to the device

kd> !devhandles 826eb030

 Check SSDT

dd dwo(KeServiceDescriptorTable) L100


Remote Host Debugging

On the target machine enable kernel debugging by running the following command and then rebooting

bcdedit /debug on

On the target machine run windbg from an admin cmd using:

windbg -server tcp:port=3001 -k

If necessary, start kernel debugging using Ctrl-k then select local, click OK
On the controller machine run windbg then go to file -> "connect to remote session..." using the following connection string




The sympath can consist of multiple URIs. Sympath is initialized from the _NT_SYMBOL_PATH system environment variable.
Exception Codes
The windows common exception codes can be found in <ntstatus.h> in WDK as constants defined having the STAUS_<NAME> form name.