Analyze -v

The first thing that anyone working with x64 dumps needs to know is that trap frames on the x64 do not contain non-volatile register state. What this means for you the analyst is that when you use the .trap command with an x64 target you cannot trust the register contents displayed for rbx, rbp, rdi, rsi, and r12-r15. If you need the contents of these registers at the time of the crash you will need to find the contents indirectly.

I highly recommend that you read my full treatment of this topic in the last issue of The NT Insider: http://www.osronline.com/article.cfm?id=542. In an upcoming post I’ll be showing another example of this as well.

This entry was posted on Thursday, December 17th, 2009 at 9:40 am and is filed under WinDBG, Windows internals, x64. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.