Shows the stack of the current thread.
kb : Displays the first three arguments passed to each stack entry.
kp : Displays more information including the name and type of the parameters for each stack entry.
Shows all threads, the current been debugging thread will have a
dot ahead like the thread
2 shown below.
0:002> ~ 0 Id: 5a0.1f8 Suspend: 1 Teb: 7ffdd000 Unfrozen 1 Id: 5a0.158 Suspend: 1 Teb: 7ffdc000 Unfrozen . 2 Id: 5a0.b28 Suspend: 1 Teb: 7ffdb000 Unfrozen
We can use
~*kp) to enumerate all threads and print their stack trace information.
s might be interpreted as
set current thread or
This command will set the
x thread as the current thread, where
x is the thread num such as the
Please not the
x is not the thread id (TID). Anyway we can use
~~[TID]s to switch by the
TID. What should be noted is that the
 is indispensable.
I guess it means
go which instructs WinDbg to continue run after a breakpoint reached.
Shows the CPU time of all threads. It’s useful to troubleshoot infinite loops and performance issues.
0:004> !runaway User Mode Time Thread Time 2:7b0 0 days 0:00:20.203 0:790 0 days 0:00:00.015 4:eb8 0 days 0:00:00.000 3:8a4 0 days 0:00:00.000 1:648 0 days 0:00:00.000
It shows the user mode time by default with an option to display kernel time and time since creation. The parameter could be
4 or a combination of these three.
1shows user mode time
2shows kernel mode time
4shows the time since the creation of the thread.
- We can
LogicORthe above options to show a combined result, e.g
!runaway 7will show all the kinds of time because
ld can be used to load symbols for modules, but usually I will use
ld * to list all modules.
Displays symbols that match the specified pattern
Shows the address of a function, e.g the address of
77bd27c2 (maybe different on your computer.):
x msvcrt!printf 77bd27c2 msvcrt!printf = <no type information>
We can use wildcard with this command to list all the function/symbol from a specific dll e.g.
ln address tries to display symbols around the
dv /i/t/V shows the variables on the current stack frame.
see the document for details about the parameters.
Enumerates all the local variables in the current stack frame.
Enumerates all stack frames and print the local variables.
Dissembles from an address
u StartAddress LLength, e.g.
u 0040ff12 L100
Shows the memory and tries to display the symbols.
dds StartAddress LLength e.g.
dds 0040ff12 L20
s with the switcher
-a can searches a string in the memory
s -a StartAddress LLength TheStringToSearch
s -a 0040ff12 L999999 “the string”
切换栈帧, 先用 kb/knL 将栈帧都打印出来, 再用 .frame 切换之.
dt pObject shows the type of
pObject and its member variables.
dt address CMyClass interprets the address as a pointer to an object of CMyClass and display the information of the object.
Sets a memory breakpoint at the given address.
e.g1 break whenever the first 4 bytes of the buffer changed.
r4 means read 4 bytes.
ba r4 MyExe!buffer
e.g2 break whenever the first 4 bytes of the buffer changed.
w4 means write 4 bytes.
ba w4 MyExe!buffer
MyExe!buffer can be an address as well.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.