Skip to content

Windows Debugging#

Postmortem Debugging#

  • Configure System Crash Dump Options

  • UI: Windows Settings->About->Advanced Tab->Startup and Recovery Settings

  • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
  • Configuring postmortem debugger: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

  • Debugger=REG_SZ:[DebuggerCmd] value: specify postmortem debugger where [DebuggerCmd] is invocation command

    • 1st %ld: replaced with the Process ID
    • 2nd %ld: replaced with the Event Handle
    • Ex: "C:\debuggers\windbg.exe" -p %ld -e %ld -g
  • Auto=REG_SZ:[0|1] value: configure automatic debugging behavior
    • 0: disable auto invoke and show user interaction dialog
    • 1: enable auto invoke and hide user interaction dialog
  • .\AutoExclusionList\[ExeName]=dword:00000001 value: exclude [ExeName] from automatic debugging e.g.
    • "DWM.exe"=dword:00000001
  • (Reference)

Windows Debugging Tips#

GFlags#

Global Flags Editor (WindowsSDK\Debuggers\x64\gflags.exe) enables/disables advanced windows diagnostic settings/registry keys

  • features
  • advanced debugging settings e.g. break on process launch
  • page heap allocation monitoring/verification
  • kernel object reference tracing
  • [!warning] gflags.exe must be run as admin to set windows debug settings

  • GFlags Reference

SysInternals#

Collection of useful system troubleshooting tools

  • WinObj shows all the OS objects
  • SigCheck -a sftvolwin7.sys: verify valid signature and shows file version info
  • TCPView: see all network traffic
  • Procmon: count occurrences; result will collate all errors

Last update: 2023-01-07