Archive for August, 2009

What kind of dump is this?

Friday, August 28th, 2009

There are three dump types in Windows: minidumps, kernel summary dumps, and full memory dumps. WinDBG has no problem opening any of the three types and prints a banner when you first open the dump letting you know what you’re working with:

fullmemdmp

The other day I was looking at a dump and realized that I hadn’t bothered to look at the type of dump it was. Even worse, I had already cleared the screen with .cls and thus had lost the banner that told me what I was working with.

Enter .dumpdebug, which is an undocumented command that displays the header of the dump file. This contains all kinds of interesting information, including the type of dump file:

dumpdebug

Posted in WinDBG | No Comments »

Watch and Locals windows always use the C++ evaluator

Tuesday, August 18th, 2009

In the previous article I showed using the Watch window to browse an address typed as a structure. What I didn’t bother mentioning is that the Watch and Locals windows always use the C++ expression evaluator, so the @@c++() syntax is redundant in this case. So, we can use a much shorter syntax if we’re going to cast something in the Watch window:

wnocast

You might also notice the Typecast button in the upper left corner. That can also be used for the same purpose, it will just open up a new column in which you can enter the data type for the address:

waltformat

Posted in WinDBG | No Comments »

C++ expressions and the Watch window

Sunday, August 16th, 2009

I often get asked if there’s a way to type an address and browse the structure in the Watch window (Alt+2). The answer is that it is indeed possible, just that we need to switch over to the C++ evaluator instead of the MASM evaluator (which is the default).

We’ll need to use the same trick that we used when talking about the r? instruction. That is, we just need to wrap our expression in @@c++() to force the C++ evaluator and then cast an address as the type we want:

cppwatch

Again remember that the C++ evaluator defaults to decimal, so prefixing the address with 0x is critical.

Posted in WinDBG | No Comments »

Shutting off OACR

Wednesday, August 12th, 2009

Finally had a chance to install the RTM Win7 WDK and start dealing with Office Automated Code Review (OACR). I’ve had to deal with OACR before and never was a fan, but now that it’s an integrated part of my day to day life I find it more distracting than helpful. It’s not Prefast (sorry, Prefast) that I don’t like, it’s the being forced to deal with a contantly changing icon in my tray and the barrage of pop up balloons (complete with sound notifications!):

oacrpop

My immediate question is, of course, how do I make this go away? There are in fact a couple of reasonable options that you can use to get rid of it either permanently or temporarily.

If you want to remove it permanently, the first option is to follow the instructions described in this MSDN article. This will involve either editing your WDK build environment shortcuts or changing an oacr.ini file.

Alternatively, there is a way to disable OACR from the command line within a build environment. The first step is to turn OACR off for your builds, which is done using the particularly cryptic command oacr set off. This will cause OACR to be bypassed for subsequent builds, allowing you to avoid being pestered for anything you build in this window:

oacroff

From here, if you want to also kill the tray icon you can execute oacr stop and OACR should go away completely. Note that the oacr set off command is important, if you only do oacr stop OACR will come right back the next time you invoke build.

Posted in Driver development | No Comments »

Why are my NTSTATUS values displayed in decimal?

Friday, August 7th, 2009

You might have noticed that your NTSTATUS variables are displayed in the debugger as signed longs as opposed to the hex format that you find in the header files:

0:000> dv
status = -1073741823

This is fairly annoying as it’s counter to the typical way these are displayed elsewhere. Luckily, there’s an easy fix and that’s the .enable_long_status command:

0:000> .enable_long_status 1
0:000> dv
status = 0xc0000001

Posted in WinDBG | No Comments »