windbg ANSI Command Tree 1.0 title {"Start cheat sheet"} body {"Symbols"} {"Use Public Symbols"} {".sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols"} {"Add Public Symbols"} {".sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols"} {"Add Nuget Symbols"} {".sympath+ srv*c:\symbols*https://nuget.smbsrc.net"} {"Reload Symbols"} {".reload"} {"Reload ALL Symbols"} {".reload /f"} {"KERNEL:Load User Mode Symbols:reload /f /user"}{".reload /f /user"} {"Reload .NET Debug Support Verbose"} {".cordll -ve -u -l"} {"turn OFF .NET Debug Support Verbose"} {".cordll -vd"} {"Information"} {"Time of dump"} {".time"} {"Process being debugged"} {"|"} {"Dump Location"} {"||"} {"Create server on port 9999"} {".server tcp:port=9999"} {"Show remote connections"} {".clients"} {"Process Environment Block"} {"!peb"} {"Enable Unicode"} {".enable_unicode 1"} {"Enable DML"} {".prefer_dml 1"} {"Logging"} {"Open Log"} {".logopen /t /u /d"} {"Close Log"} {".logclose"} {"Common Extensions"} {"ADD 64Bit Extension Path"} {".extpath+ C:\LabFiles\tools\Extensions\_64Bit"} {"ADD 32Bit Extension Path"} {".extpath+ C:\LabFiles\tools\Extensions\_32Bit"} {"Time Travel Trace - Windbg Preview only"} {".load TTDExt;!index;!events"} {"Start of Trace"} {"!tt 0"} {"End of Trace"} {"!tt 100"} {"All Exceptions"} {"dx @$curprocess.TTD.Events.Where(t => t.Type == "Exception").Select(e => e.Exception)"} {"Thread LifeTime"} {"dx /g @$curprocess.TTD.Events.Where(t => t.Type == "ThreadCreated").Select(e => e.Thread)"} {"Reverse step over: p-"} {"p-"} {"Reverse step over to (previous) call: p-c"} {"p-c"} {"Reverse step into: t-"} {"t-"} {"ALL Calls to here 32Bit"}{"dx @$cursession.@"TTD".Calls(@eip.ToDisplayString())"} {"ALL Calls to here 64Bit"}{"dx @$cursession.@"TTD".Calls(@rip.ToDisplayString())"} {"Current Extensions"} {".chain"} {".NET: Loadby Sos for Mscorwks"} {".loadby sos mscorwks"} {".NET: Loadby Sos for Clr"} {".loadby sos Clr"} {"SIE Extension (load)"} {".load sieextpub"} {"SIE Extension - help"} {"!sieextpub.help"} {"Pde (load)"} {".load pde"} {"!help"} {"!pde.help"} {"!stowedexceptions"} {"!pde.stowedexceptions"} {"SOSEX Extension (load)"} {".load sosex"} {"SOSEX Extension - help"} {"!sosex.help"} {"!mk"} {"!sosex.mk"} {"!mdso"} {"!sosex.mdso"} {"!mdv"} {"!sosex.mdv"} {"MEX Extension (load)"} {".load MEX"} {"MEX Extension - help"} {"!MEX.help"} {"!UniqueStacks"} {"!MEX.UniqueStacks"} {"!clrstack2"} {"!MEX.clrstack2"} {"!WCFPerfCounters"} {"!MEX.wcfperfcounters"} {"!tasks - NET Tasks Running"} {"!MEX.tasks"} {"!ndso Native Dump Stack Object"} {"!MEX.ndso"} {"!ndro Native Dump Register Object"} {"!MEX.ndro"} {"!dss Dump Strings on the Stack"} {"!MEX.dss"} {"NetExt"} {"General"} {"Load (netext must be in the debuggers directory)"} {".load netext"} {"Index"} {"!windex"} {"Create Objects Tree"} {"!windex -tree"} {"Stack Objects"} {"~*e!wstack"} {"Enumerate types"} {"!windex -enumtypes"} {"Dump Rooted Objects"} {"!wgchandle"} {"Get Heap Info Only"} {"!wheap -detailsonly"} {"Database"} {"Dump Commands"} {"!wfrom -nospace -nofield -type System.Data.SqlClient.SqlCommand select "===========","\nAddress: ",$addr(), "\nSQL Command: \n[------]\n", _commandText, "\n[------]\nTime Out: ", $tickstotimespan($timespantoticks(0,0,_commandTimeout)), "\nAsync Command in Progress?: ",_activeConnection._AsycCommandInProgress, "\nConnection compromised?: ", _activeConnection._innerConnection._connectionIsDoomed, "\nCreation Time: ", $isnull($tickstodatetime(_activeConnection._innerConnection._createTime.dateData), "Not available")"} {"Dump DataReaders"} {"!wfrom -nospace -nofield -type System.Data.SqlClient.SqlDataReader where (_command) select "===========","\nAddress: ",_command, "\nBehavior: ", $enumname(_commandBehavior), "\nClosed?: ",_isClosed, "\nInitialized?: ", _isInitialized, "\nHas Rows?: ", _hasRows, "\nBytes Read/Remaining: ", _columnDataBytesRead, "/", _columnDataBytesRemaining, "\nSystem Type: ",$enumname(_typeSystem), "\nReader Timeout: ",$tickstotimespan($timespantoticks(0,0,_timeoutSeconds)), "\nSQL Command: \n[------]\n", _command._commandText, "\n[------]\nCommand Timeout: ", $tickstotimespan($timespantoticks(0,0,_command._commandTimeout)), "\nAsync Command in Progress?: ",_command._activeConnection._AsycCommandInProgress, "\nConnection compromised?: ", _command._activeConnection._innerConnection._connectionIsDoomed, "\nCommand Creation Time: ", $isnull($tickstodatetime(_command._activeConnection._innerConnection._createTime.dateData), "Not available"), "\nReader Start Time: ", $tickstodatetime(_parser._connHandler._createTime.dateData), "\nTime Elapsed: ", $tickstotimespan($now()-_parser._connHandler._createTime.dateData), "\nDatabase: ", _parser._connHandler._originalDatabase, "\nServer: ", _parser._server"} {"WCF"} {"List all WCF Services"} {"!wservice"} {"WCF Thread Running Requests"} {"!wfrom -nospace -nofield -type *HostedHttpRequestAsyncResult select $typename()," : ",$addr(), "\n","Uri : ", $isnull(originalRequestUri.m_String,"NA"),"\n", "Context Object: ", $isnull(context._context, "NA"),"\n", "Thread: ",$isnull("~~["+$tohexstring(context._context._thread.DONT_USE_InternalThread)+"]", "NA")"} {"Outbond Requests"} {"!wfrom -nofield -nospace -implement System.ServiceModel.Channels.OutputChannel "Address:", $addr(), " Url:", to.uri.m_String"} {"Pending Requests"} {"r $t1=0;!wfrom -nospace -nofield -type *HostedHttpRequestAsyncResult where (!isCompleted) select $addr(), "\t", $if(isCompleted, "Complete", "Pending"), "\t", $isnull("~~["+$tohexstring(context._context._thread.DONT_USE_InternalThread)+"]", "No Thread"), "\t", "(", context, ") ", $typefrommt($poi(context)), "\t", $fieldfromobj($fieldfromobj($addr(), "k__BackingField"),"m_String"), $if(0,"",$dbgrun("r $t1=@$t1+1"));.printf "\n%u Pending Requests\n",@$t1"} {"Complete Requests"} {"r $t1=0;!wfrom -nospace -nofield -type *HostedHttpRequestAsyncResult where (isCompleted) select $addr(), "\t", $if(isCompleted, "Complete", "Pending"), "\t", $isnull("~~["+$tohexstring(context._context._thread.DONT_USE_InternalThread)+"]", "No Thread"), "\t", "(", context, ") ", $typefrommt($poi(context)), "\t", $fieldfromobj($fieldfromobj($addr(), "k__BackingField"),"m_String"), $if(0,"",$dbgrun("r $t1=@$t1+1"));.printf "\n%u Pending Requests\n",@$t1"} {"net.tcp"} {"net.tcp endpoints"} {"!wfrom -nospace -nofield -type System.Net.ServicePoint select "\n===========", "\nAddress: ", $addr(), "\nLookup String: ", m_LookupString, "\nHost Name: ", m_HostName, "\nPort: ", m_Port, "\nDns?: ",$if(m_ConnectedSinceDns, "Yes", "No"), "\nTrusted: ", $if(m_IsTrustedHost, "Yes", "No"), "\nConnetion Name: ", m_ConnectionName, "\nIsProxy EndPoint? ", $if(m_ProxyServicePoint, "Yes", "No"), "\nLoopback guess: ", $enumname(m_HostLoopbackGuess), "\nLoopback?: ", $if(m_IPAddressesAreLoopback, "Yes", "No"), "\nSettings changed by user?: ", $if(m_UserChangedLimit, "Yes", "No"), "\nConnection Limit: ", m_ConnectionLimit, "\nCurrent Connections: ", m_CurrentConnections, "\nHost Mode: ", $if(m_HostMode, "Yes", "No")"} {"net.tcp connected sockets"} {"r @$t1=0;!wfrom -nospace -nofield -type System.Net.Sockets.Socket where (m_IsConnected) select "\nAddress: ", $addr(), "\nConnected: ", $if(m_IsConnected, "true", "false"), "\nBlocking: ", $if(willBlock, "true", "false"), "\nType: ", $enumname(protocolType), "\nServer/Client: ", $if(isListening, "Server", "Client"), "\nDestination: ", $substr($tonumberstring(m_RightEndpoint.m_Address.m_address & 0xff),2,3),".",$substr($tonumberstring(m_RightEndpoint.m_Address.m_address / 0x100 & 0xff),2,3),".",$substr($tonumberstring(m_RightEndpoint.m_Address.m_address / 0x10000 & 0xff),2,3), ".",$substr($tonumberstring(m_RightEndpoint.m_Address.m_address / 0x1000000 & 0xff),2,3), ":",$substr(m_RightEndpoint.m_Port, 2,10), $dbgrun("r @$t1 = @$t1+1");.printf "\n\nConnected Sockets : %i\n", @$t1"} {"net.tcp disconnected sockets"} {"r @$t1=0;!wfrom -nospace -nofield -type System.Net.Sockets.Socket where (!m_IsConnected) select "\nAddress: ", $addr(), "\nConnected: ", $if(m_IsConnected, "true", "false"), "\nBlocking: ", $if(willBlock, "true", "false"), "\nType: ", $enumname(protocolType), "\nServer/Client: ", $if(isListening, "Server", "Client"), "\nDestination: ", $substr($tonumberstring(m_RightEndpoint.m_Address.m_address & 0xff),2,3),".",$substr($tonumberstring(m_RightEndpoint.m_Address.m_address / 0x100 & 0xff),2,3),".",$substr($tonumberstring(m_RightEndpoint.m_Address.m_address / 0x10000 & 0xff),2,3), ".",$substr($tonumberstring(m_RightEndpoint.m_Address.m_address / 0x1000000 & 0xff),2,3), ":",$substr(m_RightEndpoint.m_Port, 2,10), $dbgrun("r @$t1 = @$t1+1");.printf "\n\nDisconnected Sockets : %i\n", @$t1"} {"net.tcp errors"} {"!wfrom -type System.ServiceModel.Channels.SocketConnection where (aborted) select "====",$addr(), aborted, isShutdown, $enumname(closeState), $if(socket, "socket state is "+$tostring(socket.m_Handle._state), "No socket"), socket.m_IsConnected, timeoutErrorString, $enumname(timeoutErrorTransferOperation)"} {"Security/WIF"} {"Expired/Valid Tokens"} {"!wfrom -nospace -nofield -type System.ServiceModel.Security.Tokens.SecurityContextSecurityToken select $addr()," ", id," ",$tickstodatetime(keyExpirationTime.dateData)," ",$if(keyExpirationTime.dateData > $now(), "Valid", "Expired")"} {"Modules"} {"All Modules"} {"lm D sm"} {"Loaded Modules"} {"lmo D sm"} {"Loaded Modules (verbose)"} {"lmvo D sm"} {"Modules w/o symbols"} {"lme D sm"} {"Stacks"} {"First 4 args on 64Bit"}{".echo "first 4 args on 64Bit during function entry:"; ? @rcx;? @rdx; ? @r8 ;? @r9; .echo "raw call stack:"; dq /c 1 @rsp"} {"Dump EFlags Register"} {".printf "Overflow: %i Direction: %i Interrupt %i Sign %i Zero %i", @of, @df, @if, @sf,@zf ;.printf "\nAuxiliary Carry: %i Parity: %i Carry: %i Trap Debugging: %i I/O Privilege Level: %i", @af, @pf, @cf, @tf,@iopl"} {"TEB"} {"!peb;dt ntdll!_TEB @$teb"} {"Set frame length to 500"} {".kframes 500"} {"Dump current stack w/ DML"} {"kpM 100"} {"Dump stacks for case notes"} {"knL 100"} {"Dump stacks with all parameters"} {"kPn 100"} {"Dump stacks (distance from last frame)"} {"kf 100"} {"Typical stack - kvn"} {"kvn 100"} {"Dump all stacks"} {"~*kvn 100"} {"Dump unique stacks"} {"!uniqstack -pn"} {"Thread environment block"} {"!teb"} {"Move to next frame"} {".f+"} {"Move to previous frame"} {".f-"} {"First 4 args on 64Bit"}{".echo "first 4 args on 64Bit during function entry:"; ? @rcx;? @rdx; ? @r8 ;? @r9; .echo "raw call stack:"; dq /c 1 @rsp"} {"TEB"} {"dt ntdll!_TEB @$teb"} {"Memory"} {"Dump Memory Summary"} {"!address -summary"} {"Dump heaps"} {"!heap -a"} {"Dump Leaks"} {"!heap -l"} {"Automated Task"} {"!analyze"} {"!analyze -v"} {"!analyze (verbose)"} {"!analyze -vv"} {"!analyze (hang)"} {"!analyze -hang -v"} {"Dump information"} {".dumpdebug"} {"Locks"} {"!locks"} {"Waitlist"} {"!waitlist"} {"Critical Sections"} {"!cs -l"} {"Runaways"} {"!runaway 7"} {".NET"} {"Managed Stack"} {"!clrstack"} {"Managed Stack"} {"!clrstack -a"} {"All Dump Stacks"} {"!eestack"} {"Current Dump Stack"} {"!dumpstack"} {"All Managed Stacks"} {"~*e!clrstack"} {"Threads"} {"!threads"} {"Stack Objects"} {"!dso"} {"Exception"} {"!pe"} {"GC Heap"} {"!eeheap -gc"} {"Heap Stats"} {"!dumpheap -stat"} {"Objects > 500 bytes"} {"!dumpheap -min 500"} {"Objects > 1000 bytes"} {"!dumpheap -min 1000"} {"Gen 2 Objects (sosex)"} {"!sosex.dumpgen 2"}