WinDbg, short for Windows Debugger, is a powerful tool used for debugging Windows applications, drivers, and analyzing crash dumps. It is part of the Windows Software Development Kit (SDK) and is essential for developers and system administrators who need to diagnose and troubleshoot complex issues on Windows systems. This article will guide you through the basics of using WinDbg, including how to set it up, open a crash dump, and perform basic analysis.

Setting Up WinDbg

1. Download and Install WinDbg:

   • WinDbg is included in the Windows SDK. You can download the latest SDK from the Microsoft website.
   • During installation, ensure that the "Debugging Tools for Windows" option is selected.

2. Configure Symbol Path:

   • Symbols are necessary for meaningful debugging. Set up your symbol path to point to the Microsoft symbol server by opening WinDbg and navigating to File -> Symbol File Path.
   • Enter the following path: srv*C:\Symbols*https://msdl.microsoft.com/download/symbols
   • Click OK to save the settings.

Opening a Crash Dump

1. Collect a Crash Dump:

   • Crash dumps are usually located in C:\Windows\Minidump or C:\Windows\MEMORY.DMP.
   • You can also configure Windows to generate crash dumps by adjusting the system properties under Control Panel -> System and Security -> System -> Advanced system settings -> Startup and Recovery.

2. Open the Crash Dump in WinDbg:

   • Launch WinDbg.
   • Go to File -> Open Crash Dump and select the dump file you want to analyze.

Basic Crash Analysis

1. Load the Dump File:

   • Once the dump file is loaded, you will see the command prompt at the bottom of the WinDbg window.
   • Enter the command !analyze -v to perform a verbose analysis of the crash dump.

2. Interpreting the Results:

   • The output will provide a summary of the crash, including the probable cause, the faulting module, and the stack trace.
   • Look for lines that mention "BugCheck" and "Probably caused by" to identify the root cause.

3. Further Analysis:

   • Use commands like lm to list loaded modules, k to view the stack trace, and !process to inspect process details.
   • For more detailed analysis, refer to the official WinDbg documentation.

Practical Example

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1A, {41792, fffff68000000000, 0, 0}

Probably caused by : memory_corruption ( ONE_BIT )

Followup:     MachineOwner
---------

0: kd> lm
start             end                 module name
fffff800`02e0a000 fffff800`02e14000   kdcom      (deferred)             
fffff800`02e14000 fffff800`02e1e000   mcupdate_GenuineIntel   (deferred)             
...