Breakpoints / Execution / Exceptions Modules / Symbols Modifications / Memory

U .breakin Break to the Kernel Debugger G LM List Loaded Modules U !dphdump Debug page heap
U .ecxr Exception Context Record G !chkimg Detects corruption of images U !dphfind Find a debug page heap
U ~F Freeze Thread G !dh Display the headers of an image U !dphflags Set or display the global page heap flags
U ~U Unfreeze Thread G !dlls Display list all used modules U !dphhogs Debug page heap hogs
U ~N Suspend Thread G !imgreloc Original base address of each module U !vadump Virtual memory ranges and their protection
U ~M Resume Thread G !lmi Display information about a module U !vprot Display virtual memory protection
U ~S Set Current Thread G !imggp Global pointer GP for a 64-bit image G A Assemble
U |S Set Current Process G LD Load Symbols G U Unassemble
U ||S Set Current System G .reload /u Reload Modules G # Search for Disassembly Pattern
G BA Break on Access G DT –b –v Display Type Ex: nt!* nt!_IRP U !igrep Search for a pattern in disassembly
G BC Breakpoint Clear G LN List Nearest Symbols G C Compare Memory
G BD Breakpoint Disable G .fnent Display Function Data G D(ABCdDFPQUW) DY(bd) Disp Memory
G BE Breakpoint Enable G LS LSA List Source Lines G DdP DPP DQP Referenced Memory
G BL Breakpoint List G LSC List Current Source G E( ABdDFPQUW) Edit Memory
G BP BU BM Set Breakpoint G LSF LSF- Load or Unload Source File G F FP Fill Memory
G AH AH(bcdi) Assertion Handling G LSP Set Number of Source Lines G M Move Memory
G SX SX(DEIN) Set Exceptions G Dds DPs DQs Display Words and Symbols G S Search Memory
G !exchain Exception handler chain G L+ L- Set Source Options G .holdmem Hold and Compare Memory
G .exr Exception Record G X /t /v Examine Symbols Ex: Drv!*g_* G .writemem Write Memory to File
G G Go G .exepath Set Executable Path G !heap Breakpoints, leaks; search for blocks
G GH Go with Exception Handled G .lines Toggle Source Line Support G !kuser Shared user-mode page KUSER_SHARED_DATA
G Gn GN Go with Exception Not Handled G .open Open Source File K .ignore_missing_pages Suppress Missing Page Errors
G P Step G .srcnoisy Noisy Source Loading K .pagein Page In Memory
G PA Step to Address G .srcpath .lsrcpath Set Source Path K !d(bcdpuw) Data at physical address
G PC Step to Next Call G .symfix Set Symbol Store Path K !eb !ed Write to a physical address
G T Trace G .symopt Set Symbol Options K !pool Pool(s)
G TA Trace to Address G .sympath Set Symbol Path K !poolfind Find pool tag in nonpaged or paged pools
G TB Trace to Next Branch G !sym Controls noisy symbol loading and prompts K !poolused Memory use, based on the pool tag
G TC Trace to Next Call G !symsrv close Closes the symbol server client K !poolval Analyzes a pool page and find corruptions
G WT Trace and Watch Data G .fpo Control FPO Overrides K !frag Pool memory fragmentation
G .fiber Set Fiber Context K !spoolused Session's paged pool use
G .record_branches (AMD64) Enable Branch Recording K !lookaside Display or modify look-aside lists
K
K
!bpid
!ubc
Cause a process to break
Clear a user-space breakpoint
Processes and threads K
K
!sysptes
!vm
System page table entries PTEs
Virtual memory use statistics
U || System Status
K !ubd Disable a user-space breakpoint U | Process Status K !vtop Virtual to physical; page table and directory
K !ube Enable a user-space breakpoint U ~ Thread Status K !pfn Page(s) frame(s) database
K !ubl Lists all user-space breakpoints U ~E Thread-Specific Command K !pte Adress' page table entry PTE and PDE
K !ubp Sets a breakpoint in user space U .abandon Abandon Process K !ptov Physical-to-virtual map for a process
K .trap Trap Frame U .attach Attach to Process K !vad Adress' virtual address descriptor VAD
K ~S Change Current Processor U .childdbg Debug Child Processes K !memusage Physical memory use
K .thread Set Register Context U .create Create Process
Crash Dump U
U
.createdir
.restart
Set Created Process Directory
Restart Target Application OEM Support Tools
G .dump Create Dump File U .ttime Display Thread Times http://support.microsoft.com/?kbid&ID=253066
G .dumpcab Create Dump File CAB U !runaway Display the time consumed by each thread (If needed)
G !analyze -v Analyze bugcheck U !threadtoken Thread's impersonation state !apc!dpc Dump APC/DPC or all APCs/DPCs
G .opendump Open Dump File U !locks ntsdexts.dll, process' critical sections !ethread/!kthread Display thread structure
G !findxmldata XML from a kernel Small Memory Dump CAB U .tlist List Process IDs !idt Dump information about IDT and handlers
K .bugcheck Display Bug Check Data G .cxr Display Context Record !ip Dissection and dump of IP packets
K .crash Force System Crash G .detach Detach from Process !kqueue Display queue of worker thread
K .reboot Reboot Target Computer G .kill Kill Process !lastlivetime Display system last live time
K !bugdump Bug check callback buffers G !gle Last error value for the current thread !list,!singlelist Chain display of LIST_ENTRY/SINGLE_LIST_ENTRY
K .enumtag Enumerate Secondary Callback Data G !peb Process environment block PEB !s Cool searching capability
G !teb Thread environment block TEB !smb Display SMB structure from header
Control Flow K
K
.context
.process /p
Set User-Mode Address Context
Set Process Context
!stack
!strct
Stack analysis
Dump most structures in ntddk.h
G $< Run Script File
G AD Delete Alias K .restart Restart Kernel Connection !xpool Prints maps of pool usage
G AL List Aliases K !process One or all processes
G AS Set Alias K !ready READY threads
G J Execute If - Else K !running List all running threads
G Z Execute While K !sprocess Session processes
G !for_each_frame Execute for each frame in the stack K !thread Thread
G !for_each_local Execute for each local variable K !zombies "Zombie" processes or threads
G !for_each_module Execute for each loaded module K .tss Display Task State Segment
G !list Execute for every element in a linked list
.foreach .do .for .while .if .elsif
.else .catch .break .continue .leave See help :)
K !exqueue Queued items in the ExWorkerQueue work queues
Console / Help Informations K
K
!filecache
!filelock
System file cache memory and PTE use
Display a file lock
G ; Command Separator U !critsec CRITICAL_SECTION
G ? Command Help U !cs Critical sections tree K !gentable RTL_GENERIC_TABLE
G .help Meta-Command Help U .closehandle Close Handle K !hidppd HIDP_PREPARSED_DATA
G .hh Open HTML Help File U !dreg Registry information K !bushnd HAL BUS_HANDLER
G !help Help for the extension commands U !evlog Display, changes, or backs up the event log K !ioresdes IO_RESOURCE_DESCRIPTOR
G * Comment U !gatom Global atom table K !ioreslist IO_RESOURCE_REQUIREMENTS_LIST
G N Set Number Base U !avrf Application Verifier and its outputs K !irp I/O request packet IRP
G SO Set Kernel Debugging Options G !elog_str Adds a string to the event log K !irpfind Finds I/O request packets IRP
G SQ Set Quiet Mode G !atom Atom table K !irql Current interrupt request level IRQL
G SS Set Symbol Suffix G ? Evaluate Expression K !job job object
G Q QQ Quit G ?? Evaluate C++ Expression K !locks kdextx86.dll, kdexts.dll, ERESOURCE locks
G QD Quit and Detach G !error Explain an error value K !lpc Local procedure call LPC ports and messages
G vercommand Debugger Command Line G DS Ds Display String K !verifier Display the status of Driver Verifier
G version Debugger Version G !ustr UNICODE_STRING K !ahcache Application compatibility cache
G vertarget Target Version G !str ANSI_STRING or OEM_STRING
G
G
.asm
.cls
Disasm Opt: no_code_bytes ignore_output_width
Clear Screen
G
G
DV
DG
Display Local Variables
Display Selector Misc / Never Used (By me :)
G .echo Echo Comment G R Registers U .endsrv End Debugging Server
G .echotimestamps Show Time Stamps G Rm Register Mask G .endpsrv End Process Server
G .enable_long_status Enable Long Integer Display G K(BDPpV) Display Stack Backtrace G .chain List Debugger Extensions
G .enable_unicode Enable Unicode Display G DL Display Linked List G .clients List Debugging Clients
G .expr /s masm/c++ Choose Expression Evaluator G !slist Singly-linked list SList G .load Load Extension DLL
G .force_radix_output Use Radix for Integers G .frame Set Local Context G .unload Unload Extension DLL
G .force_tb Forcibly Allow Branch Tracing G .lastevent Display Last Event G .unloadall Unload All Extension DLLs
G .formats Show Number Formats G .kframes [N] Set Stack Length G .locale Set Locale
G .logappend Append Log File G !gflag Set or display the global flags G .quit_lock Prevent Accidental Quit
G .logclose Close Log File G !handle Handle(s) G .remote (KD or CDB) Create Remote.exe Server
G .logfile Display Log File Status G !htrace Stack trace for one or more handles G .remote_exit (KD or CDB) Exit Debugging Client
G .logopen Open Log File G !owner Owner of a module or function G .send_file Send File
G .noshell Prohibit Shell Commands G !obja Object of Object Manager G .server Create Debugging Server
G .noversion Disable Version Checking G !acl Access control list ACL G .servers List Debugging Servers
G .ocommand Expect Commands from Target G !sd Security descriptor G .setdll Set Default Extension DLL
G .ofilter Filter Output G !sid Security identifier SID K IB ID IW Input from Port
G .pcmd Set Prompt Command G !tls Thread local storage TLS K OB OD OW Output to Port
G .shell Command Shell G !token Security token object K .cache Set Cache Size
G .sleep Pause Debugger K !npx Floating-point register save area K .kdfiles Set Driver Replacement Map
G .time Display System Time K !dflink Linked list in the forward direction K .secure Activate Secure Mode
G .wake Wake Debugger K !dblink Linked list in the backward direction K !processfields EPROCESS fields
G .wtitle Set Window Title K .echocpunum Show CPU Number K !tokenfields TOKEN fields
G .write_cmd_hist [file] Writes the history to file K !apc Asynchronous procedure calls APCs K !threadfields ETHREAD fields
K !dbgprint Previously sent string to the DbgPrint buffer K !timer Display all system timer use CTRL+A Toggle Baud Rate
K !blockeddrv List of blocked drivers CTRL+B Quit Local Debugger
K !ca Control area for the specified section CTRL+C Break
Hardware K
K
!callback
!cmreslist
Thread's trap's callback data
Device object's CM_RESOURCE_LIST
CTRL+D
CTRL+F
Toggle Debug Info
Break to KD
G !cpuid Processors
G UR Unassemble Real Mode BIOS K !deadlock Deadlocks found by Driver Verifier CTRL+K Change Post-Reboot Break State
G !psr (Itanium) Status word PSR K !defwrites Variables of the Cache Manager CTRL+P Debug Current Debugger
K UX Unassemble x86 BIOS K !devext Bus-specific device extension for devices CTRL+R Re-synchronize
K RDMSR Read MSR K !devnode Node in the device tree CTRL+V Toggle Verbose Mode
K WRMSR Write MSR K !devobj DEVICE_OBJECT CTRL+W Show Debugger Version
K !dma DMA subsystem, and the Driver Verifier K !devstack Device stack associated with a device object U !dp In ntsdexts.dll, display a CSR process
K !ecb !ecd !ecw Write to the PCI configuration space K !drvobj DRIVER_OBJECT U !dt Display information about a CSR thread
K !cbreg CardBus informations and registers K !drivers List all drivers loaded with their memory use G !net_send Sends a message over LAN
K !cpuinfo CPU K !pnpevent Plug and Play device event queue G !version Display the version for the extension DLL
K !exca CardBus ExCA registers K !rellist Plug and Play relation list G !logexts.help logexts.dll "Windows API Logging Extensions"
K !fwver Itanium firmware K !pocaps Power capabilities G !rpcexts.help rpcexts.dll "RPCDBG"
K !mca x86, Machine check architecture MCA registers K !popolicy Power policy K !calldata Call's performance from the named table
K !mca Itanium, MCA error record K !diskspace Free space on a hard disk K !vpdd Process' physical, virtual, content memory
K !mps BIOS Intel Multiprocessor Specification MPS K !object System object K !ndiskd.help ndiskd.dll "NDIS"
K !mtrr Display the MTRR register K !qlocks State of all queued spin locks K !acpikd.help acpikd.dll "ACPI"
K !pci Status of the PCI buses and devices attached K !reg Display and searches through registry data K !gdikdx.verifier Driver Verifier verifying a graphics driver
K !pcitree PCI/Cardbus device objects and child buses K !regkcb Registry key control blocks
K !pcr Processor's processor Control Region PCR K !session Controls or display the session context(s) Debug a piped session:
K !prcb Display the processor control block PRCB K !stacks Kernel stacks -k com:pipe,port=\\.\pipe\Name,resets=0 -ee c++ -QSY -QY -W Test
K !srb Display a SCSI Request Block SRB K !vpb Volume parameter block VPB -b -k com:port=com1,baud=115200 -QSY -QY -W Remote
K !urb Display a USB request block URB K !wsle Display all working set list entries WSLE
K !wdmaud WDM Audio WDMAud structures K !arbiter System resource arbiters and arbitrated range Debugging tools for Windows:
K !errlog Pending entries in the I/O system's error log http://www.microsoft.com/whdc/ddk/debugging/default.mspx