Principle et prerequisites

What is WinDBG^® ?

WinDBG is a multipurpose debugger for the Microsoft Windows^® computer operating system, distributed by Microsoft^®. Debugging is the process of finding and resolving errors in a system; in computing it also includes exploring the internal operation of software as a help to development. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode.

 

WinDBG can be used for debugging kernel-mode memory dumps, created after what is commonly called the Blue Screen of Death which occurs when a bug check is issued. It can also be used to debug user-mode crash dumps. This is known as post-mortem debugging. (source : Wikipedia).

Prerequisite

To use WinDBG^®, it's necessary to have the dump of some DLLs, saved in a directory visible by WinDBG.

Recover the dump from the problematic process

The dump can be done from the Windows^® Process Manager or thanks to others tools as Sysinternals^® Procdump .

.bat scheduled task example used to realise up to 5 dumps de watchdoc.exe and its memory dumps when this one get only one cpu core on the 4 (25%) during more than 80 secondes:

procdump.exe -c 24 -s 80 -ma -n 5 /accepteula watchdoc.exe

More information on: https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

Recover the DLL

To recover the DLL, go on the server where the dump has been done and find:

• sos.dll

• clr.dll

• mscorwks.dll

For a 64 bits system, this DLL are in :\Windows\Microsoft.NET\Framework64\v4.0.30319

Save the DLLs

To save the DLLs, create the repository C:\global (for example) and declare this repository in the PATH system variable of the station from which you launch WinDBG.

More information

http://windbg.info/doc/1-common-cmds.html

https://blogs.msdn.microsoft.com/alejacma/2009/06/30/sos-cheat-sheet-net-2-03-03-5/

https://msdn.microsoft.com/en-us/library/windows/hardware/dn745911(v=vs.85).aspx