WinDbg Meta Commands

WinDbg Meta Commands

WinDbg meta commands (aka dot commands) are used for controlling debugger itself and the command always starts with dot. The following table shows frequently used WinDbg meta commands.

Command Description Example
.create Create a new target application .create notepad.exe
.attach Attach to a new target application. .attach 0n10324 (PID:10324)
.detach Detach from process .detach
.abandon Abandon process. Ends the debugging session. .abandon
.breakin Switch from user-mode debugging to kernel-mode debugging. Break to the kernel debugger if kernel-mode debugging was enabled during the boot process. .breakin
.call Call a function in the target process .call mydll!FuncA(1,2)
.chain List all loaded debugger extensions .chain
.closehandle Close a handle owned by the target application .closehandle 4c
.cls Clear command window display .cls
.cordll Control managed code debugging and CLR .cordll -I clr -lp c:\dacFolder
.crash Cause the target computer to crash and issue a bug check .crash
.dump Create dump file .dump c:\temp\my.dmp
.dbgdbg Debug current debugger. Launch a new instance of CDB. This new debugger takes the current debugger as its target. .dbgdbg
.echo Display a comment string .echo Calc
.echotime Display current time .echotime
.cxr Display context record .cxr
.ecxr Display exception context record .ecxr
.effmach Display or change the processor mode that the debugger uses .effmach
.enable_unicode If enabled, displays all 16-bit arrays and pointers as Unicode strings. Otherwise, display them as short integers. .enable_unicode 1 (1=enabled)
.eventlog Display the recent Microsoft Win32 debug events .eventlog
.expr Specify the default expression evaluator. Default is masm. .expr /s c++ (change to C++ expression evaluator)
.exr Display the contents of an exception record .exr -1 (-1=most recent exception)
.frame Specify which local context (scope) is used to interpret local variables or change frame. .frame 1 (goto 2nd frame)
.help Display a list of all meta-commands .help
.hh Launch the Debugging Tools for Windows help documentation .hh
.kill End a process that is being debugged .kill
.lastevent Display the most recent exception or event that occurred .lastevent
.lines Enable/disable source line information .lines -e (enable line number info)
.load Load new extension DLL (full path) into the debugger .load C:\dbg\sosex.dll
.loadby Load new extension DLL into the debugger. Debugger find 2nd param module and use the module path to load extension DLL. .loadby sos clr (load sos extension from clr module path)
.unload Unload an extension DLL from the debugger .unload sos
.locale Display or change current locale. The locale controls how Unicode strings are displayed. .locale E
.logopen Save commands and the output from the Debugger Command window to a new log file. Subsequent output will be saved to the log file until closed. .logopen C:\temp\dbg.log
.logclose Close log file .logclose
.logfile Display log file information .logfile
.logappend Append commands and the output from the Debugger Command window to the specified log file. If another log file is already open, it will be closed and the specified log file will be open in append mode. .logappend C:\temp\dbg2.log
.open Open source file .open c:\src\test.cpp
.opendump Open dump file .opendump c:\dbg\my.dmp
.outmask Control output mask. Control which message types are sent to the output window and log file. .outmask- /l 1 (Suppress normal output but error/warning will be displayed. - means remove the bitmask. /l means "preserve the current value of the log file's output mask")
.push Save the current state of the debugger .push
.pop Restore the debugger state to previously saved state from .push .pop
.process Specify which process is used for the process context in kernel debugging .process fe5039e0
.readmem Read binary data from a file and copy to memory .readmem file1 5000 100 (read 100 bytes from file1 and copy to address 5000)
.writemem Write binary data to a file .writemem C:\dbg\my.dll 73b90000 (73b9d000 - 0x1) (write 73b90000-73b9d000 memory to my.dll file)
.reboot Restart the target computer .reboot
.server Start a debugging server, allowing a remote connection to the current debugging session .server npipe:pipe=testpipe
.endsrv End debugging server .endsrv 1
.servers List all debugging servers that have been established by this debugger .servers
.remote Start a Remote.exe Server, enabling a Remote.exe Client to connect to the current debugging session. .remote testSession
.remote_exit Exit debugging client .remote_exit
.restart Restart target application .restart
.shell Launch a shell process and redirects its output to the debugger or to a specified file .shell cmd.exe
.sleep Pause the debugger. Unit is milliseconds. .sleep 1000
.srcpath Set or display the source file search path .srcpath c:\src;c:\sd
.exepath Set or display the source file search path .exepath+ c:\bin
.sympath Display or change symbol path .sympath+ c:\symbols
.symfix Automatically sets the symbol path to point to the Microsoft symbol store .symfix c:\cache
.thread Specify which thread will be used for the register context in kernel debugging .thread ffaa5280
.tlist List all processes on the system .tlist
.time Display time information .time
.trap Display the trap frame register state and also sets the register context in kernel debugging .trap
WinDbg