-
Notifications
You must be signed in to change notification settings - Fork 24
/
Windbgtree.txt
189 lines (189 loc) · 8.64 KB
/
Windbgtree.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
windbg ANSI Command Tree 1.0
title {"by V A G N E R P I L A R"}
body
{"Kernel Debugging"}
{"Logging"}
{"Open Log"} {".logopen /t /u C:\Customers\Debugging.txt"}
{"Close Log"} {".logclose"}
{"Loading Patterns"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\patterns.dll"}
{"Loading Blue WinDBG"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\blwdbgue.dll"}
{"Dump Info"}
{"Bugcheck Args & System Uptime"} {"!analyze -show bugcheck; .time"}
{"Dump Header"} {".dumpdebug"}
{"Debugger Shortcuts"}
{"Apply Alias's"} {"aS !p !process; aS !t !thread; aS .f .frame; aS .p .process /p /r; aS .t .thread /p /r; .ignore_missing_pages 1"}
{"System info"}
{"Computer name"} {"dS srv!srvcomputername"}
{"Event Log"} {"!wmitrace.strdump"}
{"Show remote connections"} {".clients"}
{"Time and OS Version"} {"vertarget"}
{"BIOS Info"} {"!sysinfo machineid"}
{"CPU Info"} {"!sysinfo cpuinfo"}
{"Memory Info"} {"!sysinfo smbios"}
{"Slots"} {"!pcitree"}
{"Device tree GUI"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbgkit.dll; !dv"}
{"Resource Conflict check"} {"!arbiter 1"}
{"Device tree"} {"!devnode 0 9"}
{"Object Explorer"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbgkit.dll; !ob"}
{"HID device"} {"!hidkd.hidtree"}
{"SymbolicLinks"} {"!object \Global??\"}
{"Registry Hives"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\swishdbgext.dll;!ms_hivelist"}
{"Registry Consumed Pool"} {"!reg dumppool"}
{"Terminal Server?"} {"!session"}
{"Services"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\swishdbgext.dll;!ms_services"}
{"Driver Info"}
{"3rd party drivers"} {"lme"}
{"Plug and Play triage"} {"!pnptriage"}
{"List drivers non MSFT symbols"} {".reload /f"}
{"Modules"} {"ld*"}
{"Filter Drivers"} {"!fltkd.filters"}
{"Binaries"} {"lmvm msiscsi; lmvm mpio; lmvm storport; lmvm volsnap; lmvm msdsm; lmvm ntfs; lmvm dfsc; lmvm tcpip; lmvm afd; lmvm clusdisk"}
{"Verifier"} {"!verifier"}
{"Bugcheck parameters"} {".bugcheck"}
{"Process and Threads"}
{"List all Running with Stack"} {"!running -it"}
{"Process with DML"} {"!dml_proc"}
{"Process"} {"!process 0 7"}
{"Process Explorer"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbgkit.dll;!ps"}
{"Process Path"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\swishdbgext.dll; !ms_process"}
{"RAW Stacks"} {"dps esp-3000 esp+3000"}
{"Stacks"} {"!stacks"}
{"Displays stacks"} {"kcn"}
{"Locks"} {"!locks"}
{"Exclusive Owner"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\mex.dll; !eresource -v"}
{"Running"} {"!running"}
{"File Server"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\mex.dll; !fileserver"}
{"Ready"} {"!ready"}
{"Dump active Pnp thread if any"} {"!pnpthread"}
{"Exqueue W2K2008R2"} {"!exqueue /f"}
{"Exqueue WS2012 R2"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\swishdbgext.dll; !ms_exqueue"}
{"Networking"}
{"Ndiskd in details"} {"!ndiskd.netreport -verbose"}
{"Port Exhaustion"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\mex.dll; !mex.afd -conn -report -verbose"}
{"Ndiskd Miniport"} {"!ndiskd.miniports"}
{"Ndiskd Protocols"} {"!ndiskd.protocols"}
{"Checking vswitch Config"} {"!nvkd.vswitch"}
{"Checking IP Address"} {"dpu poi(srvnet!SrvAdminIpAddressList)"}
{"Memory"}
{"Virtual Memory"} {"!vm 4"}
{"Pagefile Info"} {"!pagefile"}
{"RAMmap"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbgkit.dll;!mm"}
{"Working Set"} {"!process 0 1"}
{"Fragmentation"} {"!frag"}
{"Search memory with Tag"} {".echo !for_each_module s-a @#Base @#End "<tag>""}
{"Checking Tag"} {".asm no_code_bytes"}
{"Unassemble function"} {"uf ExAllocatePool"}
{"Pool list"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\poolinfo.dll; !poollist"}
{"Storage and I/O Commands"}
{"Disk"} {"!scsikd.classext"}
{"DevNode Disk"} {"!devnode 0 1 disk"}
{"LUNs"} {"!storagekd.storunit"}
{"Check Throttles"} {"!defwrites"}
{"Storage"} {"!storagekd.storadapter"}
{"IOCTL code"} {"!ioctldecode"}
{"Show disk cluster"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\mex.dll;!clusdisk"}
{"VSS"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\mex.dll;!vss"}
{"File System"} {"!object \Filesystem"}
{"Drive Info C:\"} {"!driveinfo C:"}
{"Drive Info D:\"} {"!driveinfo D:"}
{"Drive Info E:\"} {"!driveinfo E:"}
{"Drive Info F:\"} {"!driveinfo F:"}
{"Drive Info G:\"} {"!driveinfo G:"}
{"CPU"}
{"CPU info"} {"!sysinfo cpuinfo"}
{"DPC Queues"} {"!dpcs"}
{"CPU Speed"} {"!sysinfo cpuspeed"}
{"!pcr"} {"!pcr 0"}
{"Watchdog Timer"} {"!swd"}
{"DPC Watchdog"} {"!dpcwatchdog"}
{"Detailing PCR timeout"} {"dt nt!_KPRCB XX Dpc*"}
{"Multithread Processor Info"} {"!smt"}
{"Display Status of each Processor"} {"!frozen"}
{"Display NUMA information"} {"!numa"}
{"USB details"}
{"USB2"}
{"usb2tree"} {"!usbkd.usb2tree"}
{"usbtriage"} {"!usbkd.usbtriage"}
{"usbpnp"} {"!usbkd.usbpnp"}
{"usb power requests"} {"!usbkd.usbpo"}
{"usb host controller"} {"!usbkd.usbhcdlist"}
{"usb hubs a x r"} {"!usbkd.usbhubs"}
{"USB3"}
{"usbanalyze"} {"!usb3kd.usbanalyze -v"}
{"usb_tree"} {"!usb3kd.usb_tree"}
{"xhci_deviceslots"} {"!usb3kd.xhci_deviceslots"}
{"WHEA"}
{"List WHEA"} {"!whea"}
{"WHEA Structs"} {".echo _WHEA_ERROR_RECORD, _WHEA_ERROR_RECORD_HEADER,_WHEA_ERROR_RECORD_HEADER_VALIDBITS, _WHEA_TIMESTAMP,_WHEA_ERROR_SOURCE_TYPE, _WHEA_ERROR_PACKET,"}
{"Forensics"}
{"Scanning LSASS.EXE"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\perflib.dll; !process 0 0 lsass.exe"}
{"Running Mimikatz"} {"!mimikatz"}
{"Checking exploitability "} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\MSEC.dll; !exploitable"}
{"Anti-RootKit Scan"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\wdbgark.dll; !wa_scan"}
{"Kernel Pages by PatchGuard"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\findpg.dll; !findpg"}
{"Power"}
{"Power Policy"} {"!popolicy"}
{"Power Capabilities"} {"!pocaps"}
{"Power IRPs"} {"!poreqlist"}
{"Current Power"} {"!poaction"}
{"CPPC"} {"!wdfkd.wdflogdump amdppm -d"}
{"Dumps the device node with the power state and all attached devices"} {"!devpowerstate"}
{"Memory Analysis Checklist for System Hang"}
{"Check list"} {".load C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\patterns.dll; !chk S"}
{"User Space Debugging"}
{"Information"}
{"Open help"} {".hh"}
{"Time of dump"} {".time"}
{"Process being debugged"} {"|"}
{"Dump location"} {"||"}
{"Process Environment Block"} {"!peb"}
{"Last event"} {".lastevent"}
{"Logging"}
{"Open log"} {".logopen /t /u /d"}
{"Close log"} {".logclose"}
{"Modules"}
{"All modules"} {"lm D sm"}
{"Loaded modules"} {"lmo D sm"}
{"Loaded modules (verbose)"} {"lmvo D sm"}
{"Modules w/o symbols"} {"lme D sm"}
{"Show verbose symbol loading info"} {"!sym noisy; .reload"}
{"Set symbol path"} {".sympath srv*C:\symbols*http://msdl.microsoft.com/download/symbols"}
{"Stacks"}
{"Set frame length to 2000"} {".kframes 2000"}
{"Dump current stack w/ DML"} {"kpM 1000"}
{"Dump stacks with all parameters"} {"kPn 1000"}
{"Dump stacks with FPO"} {"kvn 1000"}
{"Dump all thread stacks"} {"~*kbn 1000"}
{"Dump unique stacks"} {"!uniqstack -pn"}
{"Thread environment block"} {"!teb"}
{"Move to next frame"} {".f+"}
{"Move to previous frame"} {".f-"}
{"Show local variables"} {"dv /v /t"}
{"Memory"}
{"Dump heaps"} {"!heap -a"}
{"Dump heap statistics"} {"!heap -s 0"}
{"Dump all heap blocks"} {"!heap -h 0"}
{"Resources"}
{"Dump all handles (basic information)"} {"!handle"}
{"Enable handle tracing"} {"!htrace -enable"}
{"Obtain and diff handle tracing snapshot"} {"!htrace -diff"}
{"Automated Tasks"}
{"!analyze"} {"!analyze -v"}
{"CPU time for User and Kernel Mode"} {"!runaway 7"}
{"Kernel"}
{"Kernel hang analysis"} {"!analyze -hang"}
{"Display all processes"} {"!process 0 0"}
{"Current thread"} {"!thread"}
{"Find all IRPs (slow)"} {"!irpfind"}
{"Pool usage statistics (sorted by size)"} {"!poolused 4"}
{"Locks information"} {"!locks"}
{"Queued spinlocks"} {"!qlocks"}
{"Managed"}
{"Load SOS 4.0"} {".loadby sos clr"}
{"Load SOS 2.0"} {".loadby sos mscorwks"}
{"Managed stack"} {"!clrstack"}
{"Threads"} {"!threads"}
{"Stack objects"} {"!dso"}
{"Sync blocks"} {"!syncblk"}
{"Managed heap statistics"} {"!dumpheap -stat"}
{"Print current exception"} {"!PrintException"}