logging in or signing up Basic_Windows_Debugging cvk.pradeep Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 230 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 01, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: bertjacobs (9 month(s) ago) blue screen of death freeze http://ndissys.net/ repair ndis.sys Saving..... Post Reply Close Saving..... Edit Comment Close By: shipra143 (33 month(s) ago) please anyone send me this ppt, please my id is shipragupta143@gmail.com Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Basic Windows Debugging : Basic Windows Debugging 01.09.2009 Pradeep.V.K.Chimalapati AIM OF THE SESSION : AIM OF THE SESSION To understand what Windows debugging is? To understand common debugging terms used To understand what causes these dumps (BSOD – Blue Screen Of Death) Types of Dump Files; Crash Dump options Analysis by using WinDbg Types of Debugging process :Remote Debugging 2 What is Debugging? : What is Debugging? 3 Slide 4: 4 What is Debugging? : What is Debugging? Debugging is a methodical process of finding and reducing the number of bugs, or defects, in a computer program . Debugging tools (called debuggers) help identify coding errors at various development stages. Windows Debugging is a process of using different tools like WinDbg, KD etc to debug a Dump or a BSOD (Blue Screen Of Death) and help rectify the cause of the dump 5 Common Debugging Terms : Common Debugging Terms Process: A process is a container for a set of resources used by the threads that execute the instance of the program. Thread: A thread is the entity within a process that Windows schedules for execution. Call Stack: A fundamental data structure used to keep track of function calls and the parameters passed into these functions. Register: A register is a very fast temporary storage location in the CPU User Mode: The processor access mode in which applications run Kernel Mode: The processor access mode in which the operating system and privileged programs run Exception: An error condition resulting from the execution of a particular machine instruction. 6 Common Debugging Terms : Common Debugging Terms Interrupt: A condition that disrupts normal thread execution and transfers control to an interrupt handler Interrupt Request Level (IRQL): The priority ranking of an interrupt Free Build: The retail version of the operating system. Checked Build: The debug version of the operating system Breakpoint: The point at which the debugger is asked to stop the execution is the breakpoint Symbol Files(.pdb files): Files containing the identifiers, such as variables and functions names, created at compile time for use by the debugger. PDB files are program database files generated by the linker. Private PDB files contain information about private and public symbols, source lines, types, locals and globals. Public PDB files do not contain types, local and source line information 7 Common Debugging Terms : Common Debugging Terms Host Machine: The host machine is the computer that runs the debugging session Target Machine: The computer that needs to be debugged and is the focus of the debugging session Blue Screens, Bug Checks, and Bug Check Codes: When Windows encounters inconsistencies within data necessary for its operation, the operating system shuts down and displays error information on a blue text-mode screen Crash Dump File: System state information written to a file when a bug check occurs BucketID: It is an identifier of crash problem. BucketID is an internal term generated by WATSON when a new report comes in Remote Debugging: This refers to a debugging session in which the debugger resides on the host computer and the application to be debugged resides on the target computer. 8 Why Does Windows Crash? : Why Does Windows Crash? 9 Why Does Windows Crash? : Why Does Windows Crash? Window’s crashes when something’s wrong in kernel-mode: Unhandled exception (e.g. executing invalid instruction) System crashes when a fatal error prevents further execution Any kernel-mode component can crash the system Drivers and the OS share the same memory space OS or driver detects severe inconsistency Referencing paged out memory at interrupt level (famous “IRQL_NOT_LESS_EQUAL” crash) A reschedule is attempted at dispatch level IRQL or higher Hardware error 10 Why Does Windows Crash? : Why Does Windows Crash? Top 100 Reported Crashing are due to: ~70% caused by 3rd party driver code ~15% caused by unknown (memory is too corrupted to tell) ~10% caused by hardware issues ~5% caused by Microsoft code 11 What Happens At The Crash : What Happens At The Crash When a condition is detected that requires a crash, KeBugCheckEx is called Takes five arguments: Stop code (also called bugcheck code) 4 stop-code defined parameters KeBugCheckEx: Turns off interrupts Tells other CPUs to stop Paints the blue screen Notifies registered drivers of the crash If a dump is configured (and it is safe to do so), writes dump to disk 12 Slide 13: 13 Common Bug check Codes : Common Bug check Codes Bugcheck codes are shared by many components & drivers There are about 150 defined stop codes Two common ones are: (DRIVER_) IRQL_NOT_LESS_OR_EQUAL (0x0A) - Usually an invalid memory access INVALID_KERNEL_MODE_TRAP (0x7F) andKMODE_EXCEPTION_NOT_HANDLED (0x1E) Generated by executing garbage instructions Its usually caused when a stack is trashed Most are documented in the Debugging Tools help file Also search Microsoft Knowledge Base (www.microsoft.com/support) Often, bug check code and parameters are not enough to solve the crash Need to examine crash dump Crash Dumps Options : Crash Dumps Options Small Memory Dump (minidump) Only 64kb (128kb on 64-bit systems) Contains minimal crash information Creates a unique file name in \Windows\Minidump after reboot Kernel Memory Dump Writes OS memory and not processes Useful for large memory systems Overwrites every time Complete Memory Dump Writes all of RAM Overwrites every time %SystemRoot%\MEMORY.DMP Enabling Dumps : Enabling Dumps In Windows 2000/XP/2003: Writing a Crash Dump : Writing a Crash Dump Crash dumps are written to the paging file How is even this protected? When the system boots it checks HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\CrashControl The boot volume paging file’s on-disk mapping is obtained Relevant components are checksummed: Boot disk miniport driver Crash I/O functions Page file map On crash, if checksum doesn’t match, dump is not written At The Reboot : At The Reboot Session Manager NtCreatePagingFile Paging File Memory.dmp WinLogon SaveDump User mode Kernel mode 1 2 3 4 What Gets Sent : What Gets Sent XML description of system version, drivers present, loaded plug and play drivers Minidump file Analyzing a Crash Dump : Analyzing a Crash Dump 20 Analyzing a Crash Dump : Analyzing a Crash Dump There are 2 kernel-level debuggers that can open crash dump files: WinDbg –Windows program Kd – command-line program Both provide same kernel debugger analysis commands Must first configure to point to symbols Easiest to use Microsoft Symbol Server for symbol access Windbg: click on File->Symbol File Path Enter“srv*c:\symbols*http://msdl.microsoft.com/download/symbols” To open a crash dump: WinDbg: File->Open Crash DumpKd crash dump syntax: Kd: kd –z <memory dump file> -y <symbols directory> -i <image path> Symbol Files : Symbol Files Before using any crash analysis tool symbol files needed Symbol files contain global function and variable names Symbols are data that enable the debugger to map the executable code back to the source code Symbols are service pack-specific and have an installer (default directory is \windows\symbols) Windows NT 4: *.dbg Windows 2000: *.dbg, *.pdb Windows XP/2003: *.pdb Windows Vista/7: *.pdb Note: Service Pack symbols only include updates Microsoft Symbol Server : Microsoft Symbol Server WinDbg and Kd can download symbols automatically from Microsoft server Pick a directory to install symbols and add the following to the debugger’s symbol path:SRV*directory*http://msdl.microsoft.com/download/symbols The debugger automatically detects the OS version of a dump and downloads the symbols on-demand Slide 24: 24 Slide 25: 25 Slide 26: 26 Slide 27: 27 Remote Debugging : Remote Debugging Remote Debugging: This refers to a debugging session in which the debugger resides on the host computer and the application to be debugged resides on the target computer. Remote debugging is essential for debugging display driver issues or issues related to display. Here the Host were the WinDbg is running is connected to the Target 28 Slide 29: 29 Slide 30: 30 Slide 31: 31 Summary : Summary In this session on Basic Windows Debugging Understood what Windows debugging is. Understood common debugging terms used Understood what causes windows to crash (BSOD – Blue Screen Of Death) Understood types of Dump Files; Crash Dump options Understood how to analyze a crash dump using WinDbg (basic level) Understood what Remote Debugging is 32 References : References External Links http://msdn.microsoft.com/en-us/library/ms801645.aspx http://msdn.microsoft.com/en-us/library/ms789516.aspx http://www.codeproject.com/KB/debug/windbg_part1.aspx http://www.microsoft.com/whdc/devtools/debugging/default.mspx http://en.wikipedia.org/wiki/WinDbg 33 Slide 34: ENJOY DEBUGGING….. THANKS 34 You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Basic_Windows_Debugging cvk.pradeep Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 230 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 01, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: bertjacobs (9 month(s) ago) blue screen of death freeze http://ndissys.net/ repair ndis.sys Saving..... Post Reply Close Saving..... Edit Comment Close By: shipra143 (33 month(s) ago) please anyone send me this ppt, please my id is shipragupta143@gmail.com Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Basic Windows Debugging : Basic Windows Debugging 01.09.2009 Pradeep.V.K.Chimalapati AIM OF THE SESSION : AIM OF THE SESSION To understand what Windows debugging is? To understand common debugging terms used To understand what causes these dumps (BSOD – Blue Screen Of Death) Types of Dump Files; Crash Dump options Analysis by using WinDbg Types of Debugging process :Remote Debugging 2 What is Debugging? : What is Debugging? 3 Slide 4: 4 What is Debugging? : What is Debugging? Debugging is a methodical process of finding and reducing the number of bugs, or defects, in a computer program . Debugging tools (called debuggers) help identify coding errors at various development stages. Windows Debugging is a process of using different tools like WinDbg, KD etc to debug a Dump or a BSOD (Blue Screen Of Death) and help rectify the cause of the dump 5 Common Debugging Terms : Common Debugging Terms Process: A process is a container for a set of resources used by the threads that execute the instance of the program. Thread: A thread is the entity within a process that Windows schedules for execution. Call Stack: A fundamental data structure used to keep track of function calls and the parameters passed into these functions. Register: A register is a very fast temporary storage location in the CPU User Mode: The processor access mode in which applications run Kernel Mode: The processor access mode in which the operating system and privileged programs run Exception: An error condition resulting from the execution of a particular machine instruction. 6 Common Debugging Terms : Common Debugging Terms Interrupt: A condition that disrupts normal thread execution and transfers control to an interrupt handler Interrupt Request Level (IRQL): The priority ranking of an interrupt Free Build: The retail version of the operating system. Checked Build: The debug version of the operating system Breakpoint: The point at which the debugger is asked to stop the execution is the breakpoint Symbol Files(.pdb files): Files containing the identifiers, such as variables and functions names, created at compile time for use by the debugger. PDB files are program database files generated by the linker. Private PDB files contain information about private and public symbols, source lines, types, locals and globals. Public PDB files do not contain types, local and source line information 7 Common Debugging Terms : Common Debugging Terms Host Machine: The host machine is the computer that runs the debugging session Target Machine: The computer that needs to be debugged and is the focus of the debugging session Blue Screens, Bug Checks, and Bug Check Codes: When Windows encounters inconsistencies within data necessary for its operation, the operating system shuts down and displays error information on a blue text-mode screen Crash Dump File: System state information written to a file when a bug check occurs BucketID: It is an identifier of crash problem. BucketID is an internal term generated by WATSON when a new report comes in Remote Debugging: This refers to a debugging session in which the debugger resides on the host computer and the application to be debugged resides on the target computer. 8 Why Does Windows Crash? : Why Does Windows Crash? 9 Why Does Windows Crash? : Why Does Windows Crash? Window’s crashes when something’s wrong in kernel-mode: Unhandled exception (e.g. executing invalid instruction) System crashes when a fatal error prevents further execution Any kernel-mode component can crash the system Drivers and the OS share the same memory space OS or driver detects severe inconsistency Referencing paged out memory at interrupt level (famous “IRQL_NOT_LESS_EQUAL” crash) A reschedule is attempted at dispatch level IRQL or higher Hardware error 10 Why Does Windows Crash? : Why Does Windows Crash? Top 100 Reported Crashing are due to: ~70% caused by 3rd party driver code ~15% caused by unknown (memory is too corrupted to tell) ~10% caused by hardware issues ~5% caused by Microsoft code 11 What Happens At The Crash : What Happens At The Crash When a condition is detected that requires a crash, KeBugCheckEx is called Takes five arguments: Stop code (also called bugcheck code) 4 stop-code defined parameters KeBugCheckEx: Turns off interrupts Tells other CPUs to stop Paints the blue screen Notifies registered drivers of the crash If a dump is configured (and it is safe to do so), writes dump to disk 12 Slide 13: 13 Common Bug check Codes : Common Bug check Codes Bugcheck codes are shared by many components & drivers There are about 150 defined stop codes Two common ones are: (DRIVER_) IRQL_NOT_LESS_OR_EQUAL (0x0A) - Usually an invalid memory access INVALID_KERNEL_MODE_TRAP (0x7F) andKMODE_EXCEPTION_NOT_HANDLED (0x1E) Generated by executing garbage instructions Its usually caused when a stack is trashed Most are documented in the Debugging Tools help file Also search Microsoft Knowledge Base (www.microsoft.com/support) Often, bug check code and parameters are not enough to solve the crash Need to examine crash dump Crash Dumps Options : Crash Dumps Options Small Memory Dump (minidump) Only 64kb (128kb on 64-bit systems) Contains minimal crash information Creates a unique file name in \Windows\Minidump after reboot Kernel Memory Dump Writes OS memory and not processes Useful for large memory systems Overwrites every time Complete Memory Dump Writes all of RAM Overwrites every time %SystemRoot%\MEMORY.DMP Enabling Dumps : Enabling Dumps In Windows 2000/XP/2003: Writing a Crash Dump : Writing a Crash Dump Crash dumps are written to the paging file How is even this protected? When the system boots it checks HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\CrashControl The boot volume paging file’s on-disk mapping is obtained Relevant components are checksummed: Boot disk miniport driver Crash I/O functions Page file map On crash, if checksum doesn’t match, dump is not written At The Reboot : At The Reboot Session Manager NtCreatePagingFile Paging File Memory.dmp WinLogon SaveDump User mode Kernel mode 1 2 3 4 What Gets Sent : What Gets Sent XML description of system version, drivers present, loaded plug and play drivers Minidump file Analyzing a Crash Dump : Analyzing a Crash Dump 20 Analyzing a Crash Dump : Analyzing a Crash Dump There are 2 kernel-level debuggers that can open crash dump files: WinDbg –Windows program Kd – command-line program Both provide same kernel debugger analysis commands Must first configure to point to symbols Easiest to use Microsoft Symbol Server for symbol access Windbg: click on File->Symbol File Path Enter“srv*c:\symbols*http://msdl.microsoft.com/download/symbols” To open a crash dump: WinDbg: File->Open Crash DumpKd crash dump syntax: Kd: kd –z <memory dump file> -y <symbols directory> -i <image path> Symbol Files : Symbol Files Before using any crash analysis tool symbol files needed Symbol files contain global function and variable names Symbols are data that enable the debugger to map the executable code back to the source code Symbols are service pack-specific and have an installer (default directory is \windows\symbols) Windows NT 4: *.dbg Windows 2000: *.dbg, *.pdb Windows XP/2003: *.pdb Windows Vista/7: *.pdb Note: Service Pack symbols only include updates Microsoft Symbol Server : Microsoft Symbol Server WinDbg and Kd can download symbols automatically from Microsoft server Pick a directory to install symbols and add the following to the debugger’s symbol path:SRV*directory*http://msdl.microsoft.com/download/symbols The debugger automatically detects the OS version of a dump and downloads the symbols on-demand Slide 24: 24 Slide 25: 25 Slide 26: 26 Slide 27: 27 Remote Debugging : Remote Debugging Remote Debugging: This refers to a debugging session in which the debugger resides on the host computer and the application to be debugged resides on the target computer. Remote debugging is essential for debugging display driver issues or issues related to display. Here the Host were the WinDbg is running is connected to the Target 28 Slide 29: 29 Slide 30: 30 Slide 31: 31 Summary : Summary In this session on Basic Windows Debugging Understood what Windows debugging is. Understood common debugging terms used Understood what causes windows to crash (BSOD – Blue Screen Of Death) Understood types of Dump Files; Crash Dump options Understood how to analyze a crash dump using WinDbg (basic level) Understood what Remote Debugging is 32 References : References External Links http://msdn.microsoft.com/en-us/library/ms801645.aspx http://msdn.microsoft.com/en-us/library/ms789516.aspx http://www.codeproject.com/KB/debug/windbg_part1.aspx http://www.microsoft.com/whdc/devtools/debugging/default.mspx http://en.wikipedia.org/wiki/WinDbg 33 Slide 34: ENJOY DEBUGGING….. THANKS 34