WinDbg Meta Commands
WinDbg meta commands (aka dot commands) are used for controlling debugger itself and the command always starts with dot. The following table shows frequently used WinDbg meta commands.
| Command | Description | Example |
| .create | Create a new target application | .create notepad.exe |
| .attach | Attach to a new target application. | .attach 0n10324 (PID:10324) |
| .detach | Detach from process | .detach |
| .abandon | Abandon process. Ends the debugging session. | .abandon |
| .breakin | Switch from user-mode debugging to kernel-mode debugging. Break to the kernel debugger if kernel-mode debugging was enabled during the boot process. | .breakin |
| .call | Call a function in the target process | .call mydll!FuncA(1,2) |
| .chain | List all loaded debugger extensions | .chain |
| .closehandle | Close a handle owned by the target application | .closehandle 4c |
| .cls | Clear command window display | .cls |
| .cordll | Control managed code debugging and CLR | .cordll -I clr -lp c:\dacFolder |
| .crash | Cause the target computer to crash and issue a bug check | .crash |
| .dump | Create dump file | .dump c:\temp\my.dmp |
| .dbgdbg | Debug current debugger. Launch a new instance of CDB. This new debugger takes the current debugger as its target. | .dbgdbg |
| .echo | Display a comment string | .echo Calc |
| .echotime | Display current time | .echotime |
| .cxr | Display context record | .cxr |
| .ecxr | Display exception context record | .ecxr |
| .effmach | Display or change the processor mode that the debugger uses | .effmach |
| .enable_unicode | If enabled, displays all 16-bit arrays and pointers as Unicode strings. Otherwise, display them as short integers. | .enable_unicode 1 (1=enabled) |
| .eventlog | Display the recent Microsoft Win32 debug events | .eventlog |
| .expr | Specify the default expression evaluator. Default is masm. | .expr /s c++ (change to C++ expression evaluator) |
| .exr | Display the contents of an exception record | .exr -1 (-1=most recent exception) |
| .frame | Specify which local context (scope) is used to interpret local variables or change frame. | .frame 1 (goto 2nd frame) |
| .help | Display a list of all meta-commands | .help |
| .hh | Launch the Debugging Tools for Windows help documentation | .hh |
| .kill | End a process that is being debugged | .kill |
| .lastevent | Display the most recent exception or event that occurred | .lastevent |
| .lines | Enable/disable source line information | .lines -e (enable line number info) |
| .load | Load new extension DLL (full path) into the debugger | .load C:\dbg\sosex.dll |
| .loadby | Load new extension DLL into the debugger. Debugger find 2nd param module and use the module path to load extension DLL. | .loadby sos clr (load sos extension from clr module path) |
| .unload | Unload an extension DLL from the debugger | .unload sos |
| .locale | Display or change current locale. The locale controls how Unicode strings are displayed. | .locale E |
| .logopen | Save commands and the output from the Debugger Command window to a new log file. Subsequent output will be saved to the log file until closed. | .logopen C:\temp\dbg.log |
| .logclose | Close log file | .logclose |
| .logfile | Display log file information | .logfile |
| .logappend | Append commands and the output from the Debugger Command window to the specified log file. If another log file is already open, it will be closed and the specified log file will be open in append mode. | .logappend C:\temp\dbg2.log |
| .open | Open source file | .open c:\src\test.cpp |
| .opendump | Open dump file | .opendump c:\dbg\my.dmp |
| .outmask | Control output mask. Control which message types are sent to the output window and log file. | .outmask- /l 1 (Suppress normal output but error/warning will be displayed. - means remove the bitmask. /l means "preserve the current value of the log file's output mask") |
| .push | Save the current state of the debugger | .push |
| .pop | Restore the debugger state to previously saved state from .push | .pop |
| .process | Specify which process is used for the process context in kernel debugging | .process fe5039e0 |
| .readmem | Read binary data from a file and copy to memory | .readmem file1 5000 100 (read 100 bytes from file1 and copy to address 5000) |
| .writemem | Write binary data to a file | .writemem C:\dbg\my.dll 73b90000 (73b9d000 - 0x1) (write 73b90000-73b9d000 memory to my.dll file) |
| .reboot | Restart the target computer | .reboot |
| .server | Start a debugging server, allowing a remote connection to the current debugging session | .server npipe:pipe=testpipe |
| .endsrv | End debugging server | .endsrv 1 |
| .servers | List all debugging servers that have been established by this debugger | .servers |
| .remote | Start a Remote.exe Server, enabling a Remote.exe Client to connect to the current debugging session. | .remote testSession |
| .remote_exit | Exit debugging client | .remote_exit |
| .restart | Restart target application | .restart |
| .shell | Launch a shell process and redirects its output to the debugger or to a specified file | .shell cmd.exe |
| .sleep | Pause the debugger. Unit is milliseconds. | .sleep 1000 |
| .srcpath | Set or display the source file search path | .srcpath c:\src;c:\sd |
| .exepath | Set or display the source file search path | .exepath+ c:\bin |
| .sympath | Display or change symbol path | .sympath+ c:\symbols |
| .symfix | Automatically sets the symbol path to point to the Microsoft symbol store | .symfix c:\cache |
| .thread | Specify which thread will be used for the register context in kernel debugging | .thread ffaa5280 |
| .tlist | List all processes on the system | .tlist |
| .time | Display time information | .time |
| .trap | Display the trap frame register state and also sets the register context in kernel debugging | .trap |