DBG320 - Mastering Windows Debugging

 NEW!  Go beyond the basics of debugging with this intensive seminar. 

Level: Advanced

Applications developers; systems software developers; device driver developers; system administrators; system integrators; hardware OEMs; platform engineers; I.T. support personnel


This seminar provides a detailed and thorough tutorial on the art of debugging with the Windows Debugging Tools, primarily for purposes of crash dump (blue screen) analysis, but also for live debugging and analysis of failures in user mode programs. Additional tools such as Windows Performance Analyzer (for monitoring ETW events, used by drivers and the OS for tracing) are presented. 

The seminar begins with a quick introduction to the debugger, followed by a walkthrough of the analysis of a fairly straightforward memory dump file. This will present an example of a common class of easy-to-analyze problem, and will be used as a foundation for deeper study. 

The seminar will present a number of debugging techniques, each followed by a lab period in which students will analyzie a memory dump for which the technique is useful. Each such analysis period will be followed by detailed discussion.

Most Windows crashes are caused by code that violates a key Windows internals principle, and many of the dumps are selected to highlight the most common of these cases. During the discussion period, each such principle will be described along with the typical code fixes. In most cases, suggestions as to how the problem could have been detected during testing (for example, using the Checked Build of the OS, or Driver Verifier, or ETW tracing) are offered. 

Someone skilled in kernel mode debugging is often asked to help out with user mode problems as well, and the seminar does include the use of WinDbg for analysis of user mode dumps and for debugging running programs. Debugging of Windows service processes and of early startup processes is covered. 

The debugger is of course also useful for live debugging of kernel mode code, and some of the debugger's capabilites that are particularly suited for that environment will be presented and used in labs. 


NOTE: This is a preliminary topic list and as such is subject to revision. This does not necessarily reflect the order of presentation. Many of the subtopics listed here will be presented in a much more "interwoven" form than is suggested by this list. 
  • Quick review: Debugger setup and operation
    • Remote debugging
  • Fundamentals of Windows crashes
    • Basic stack interpretation (procedures and arguments)
    • Basic crash analysis
    • Common exception bugchecks
    • Recognizing and analyzing assertion bugchecks
  • x86 and x64 instruction set
    • Interpreting disassembly code
    • Detailed stack analysis
    • Recovering "lost" registers
  • Specific problem syndromes
    • Pool corruption
    • Page faults in nonpageable contexts
    • Kernel stack overflow
    • Stack corruption
    • Serialization errors
    • Buffer overruns
    • "Lost" stacks
  • Additional tools
    • The checked build
    • Driver Verifier 
    • System log files
  • User mode (process) debugging
    • User mode debugging with WinDbg
    • Obtaining process memory dumps
    • Debugging running processes
    • Heap corruption
    • Buffer overruns
    • Debugging Windows service processes
    • Debugging early Windows processes
  • Live debugging
    • Finding symbols
    • Setting breakpoints
    • Using DbgPrint
  • Event Tracing for Windows 
    • Windows Performance Toolkit
    • Standard Windows events
    • Beyond DbgPrint: Generating ETW events in driver code
    • Viewing ETW traces in WinDbg
  • Extending the debugger
    • Using existing debugger extensions
    • Debugger command programs
    • Writing debugger extension DLLs

All attendees must have attended one of our Windows Internals seminars, or have equivalent experience.  This seminar builds on, and does not repeat, material presented in our Windows Internals (INT201) seminar. Some previous experience with the Windows Debugging Tools is not required, but would of course be helpful. 

Operating systems supported: This seminar primarily addresses Windows 7 through Windows 10 and Windows Server 2012 R2. Most of the material is applicable to earlier versions of Windows. Earlier versions can be specifically addressed upon request.
Durations and formats: 5 days with labs

This seminar is only offered with labs.