Windows 2000 Kernel Debugging [Hardcover]

Steven McDowell (Author)

Book Description

Publication Date: January 5, 2001 | Series: Prentice Hall Series on Microsoft Technologies

This is the first comprehensive guide to Windows 2000 kernel debugging: an invaluable resource for everyone who needs to analyze and prevent Windows 2000 system crashes -- especially device driver authors and debuggers. Understand exactly what debugging means in a Windows 2000 environment, and what Microsoft's WinDbg debugger can (and cannot) do for you; and how to configure both local and remote kernel debugging environments. Learn how to analyze blue screens and utilize Windows 2000's crash dump feature; then walk through debugging a sample device driver, step-by-step. Discover how to start and stop errant drivers, pause a target system, retrieve system and driver state, and step through source code using breakpoints and source-level debugging. Master advanced techniques for taking control of target systems, including finding "lost" memory blocks; setting process and thread contexts; reviewing I/O system error logs; and more. Explore your target computer's hardware through the WinDbg interface, reading and writing hardware ports, the BIOS, the SCSI bus, and the PCI bus; even learn how to use Microsoft's Debugger Extensions to run virtually any command you choose. Finally, master Microsoft's powerful Driver Verifier utility, which can unobtrusively detect many of the most common mistakes made by device driver writers -- errors that might not have been discovered until long after software release.

Editorial Reviews

From the Inside Flap

Audience

There are two primary audiences for this material: support persons and device driver developers. Familiarity with the basic architecture of Windows 2000 is assumed. Those sections that discuss device driver debugging also assume knowledge of device drivers and the C programming language. The book is fundamentally about using the Microsoft tools to debug device drivers and perform post-mortem crash dump analysis of kernel-mode failures. Book Organization

The approach taken here will lead you on a journey from understanding basic Windows 2000 debugging concepts, through the interpretation of the stop screen, to an overview of the tools. Chapter 2 contains all of the information required to set up the debugging environment. Chapter 3 switches gears and examines the Windows 2000 stop screen. Chapter 4 wraps up the introductory material with a tour of the debuggers.

After presenting this information, we'll spend three chapters actually using these tools to do debugging and to examine hardware-specific state. Chapters 5 focuses on using the debugging tools to perform debugging tasks, and Chapter 6 follows a path that examines a target's hardware with the debugger. Chapter 7 will have us momentarily switch gears and talk about extending the debugger with our own custom extensions.

Chapter 8 discusses the interesting and little-understood topic of remote-kernel debugging-that's debugging across a modem line or a network. Chapter 9 builds on the knowledge gleaned from the first eight chapters and talks about applying the techniques to examining memory dump files (as well as everything else you could want to know about dump files and the utilities to examine them). This is followed in Chapter 10 with a discussion of other tools provided by Microsoft to aid those debugging Windows 2000 device drivers. The book is concluded with a chapter devoted to debugging resources.

The appendixes attempt to bring into one place useful information that is normally scattered between header files, knowledge base articles, and the newsgroup archives. Appendix A is a complete reference of the options and commands available in the Microsoft Kernel Debuggers. Appendix B provides a listing of the bug check codes generated by Windows 2000, along with their often-undocumented parameters, and common causes. Appendix C enumerates the NT status codes, simply because they are not referenced in any other available hard-copy documentation, and they're invaluable when reading a stop screen. A Word about Versions

Microsoft is revising the tools described in this book at an amazing clip, with each revision generally improving on the last. At the same time, prerelease builds of Windows Whistler and related versions of debugging tools are arriving almost weekly at times. Amid this flurry of activity, it is impossible to write a book on a specific version of any one tool. The approach taken here is to capture what is common and most current when discussing the tools and their various features. Except where noted, what is stated about the tools is true across versions. What are ignored are the idiosyncrasies of the specific versions of each of these tools. Once the debugging tools stabilize, as Microsoft heads from Windows 2000 into Windows Whistler and Windows NT 4.0 becomes a memory, it is hoped that this book will be revised to reflect the specifics of the shipping version of the tools and the operating system. This Book Isn't Endorsed...

Although parties within Microsoft were aware that this book was being written over the past year, it is not endorsed by Microsoft, nor was Microsoft's cooperation solicited or offered during its writing. Likewise, as I wrote the majority of this text, I was a member of the Windows NT Engineering Team at NCR Corporation and the System Software Team at Network Engines. Both NCR and Network Engines kindly encouraged and supported the effort, but no one at either company officially reviewed or endorsed this work. The contents of this book are the responsibility of the author alone. No materials that would be considered confidential or proprietary by any of these companies were used in the preparation of this work. Book's Web Site

This book has a web site at aint-it-good/kerneldebug.htm that includes a multitude of good, related information. Look there for updated pointers to information about kernel debugging and crash dump analysis for both Windows 2000 and Windows Whistler. I encourage everyone to check in there to see what's available.

From the Back Cover

The start-to-finish tutorial and reference for Windows 2000 kernel debugging!

• The expert guide to Windows 2000 kernel debugging and crash dump analysis
• Interpreting Windows 2000 stop screens—in depth!
• Making the most of WinDbg and KD
• Debugging hardware: ports, BIOS, PCI and SCSI buses, and chipsets
• Advanced coverage: remote debugging, Debugging Extensions, Driver Verifier, and more
• Step-by-step crash dump analysis and kernel debugging
• How to interpret every element of a Windows 2000 stop screen
• Using WinDbg: configuring options, symbol paths, DLLs, and more
• Debugging hardware: ports, BIOS, PCI and SCSI buses, chipsets, and more
• Configuring local and remote kernel debugging environments
• Includes extensive code samples

This comprehensive guide to Windows 2000 kernel debugging will be invaluable to anyone who must analyze and prevent Windows 2000 system crashes—especially device driver authors and debuggers. Renowned kernel debugging expert Steven McDowell covers every aspect of kernel debugging and crash dump analysis—including advanced hardware debugging and other techniques barely addressed in Microsoft's documentation.

Discover what Microsoft's WinDbg debugger can (and can't) do for you, and how to configure both local and remote kernel debugging environments. Learn to use Windows 2000's crash dump feature, step by step. Learn how to start and stop errant drivers, pause target systems, retrieve system and driver state, and step through source code using breakpoints and source-level debugging.

McDowell demonstrates techniques for taking control of target systems, including finding "lost" memory blocks, setting process and thread contexts, and reviewing I/O system error logs. You'll learn how to use Microsoft's powerful Debugger Extensions to run virtually any command you choose, and master the new Driver Verifier, which can detect common mistakes in driver code with unprecedented speed and accuracy.

See all Editorial Reviews

Product Details

• Hardcover: 300 pages
• Publisher: Pearson Education; 1st edition (January 5, 2001)
• Language: English
• ISBN-10: 0130406376
• ISBN-13: 978-0130406378
• Product Dimensions: 9.6 x 7.3 x 1.1 inches
• Shipping Weight: 2 pounds
• Average Customer Review: 1.8 out of 5 stars  See all reviews (8 customer reviews)
• Amazon Best Sellers Rank: #2,751,458 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

12 of 12 people found the following review helpful:

1.0 out of 5 stars A waste of trees., October 4, 2001

By 

Felix Kasza "Felix Kasza" (Redmond, WA) - See all my reviews

This review is from: Windows 2000 Kernel Debugging (Hardcover)

The book is essentially useless. Claiming to address itself to administrators and developers alike, it manages to satisfy neither.

The book explains on 160 (one hundred and sixty!) pages how to configure NT to produce a crash dump file; how to read a BSOD; how to run dumpexam; how to fire up a debugger; and how to get Windbag to run a debug session. Oh, I forget -- there are a few pages on the Driver verifier, too. The other 140 pages are a summary of Windbag commands (outdated) and a list of bugcheck codes and NTSTATUS values, both badly formatted, outdated versions of the corresponding header files.

This reviewer had expected all of the above to take, oh, 50 pages at the outside, with the rest of the book devoted to common debugging scenarios -- why does my driver go bang with a 0x1E bugcheck? how do I find and eliminate a deadlock? what did I do wrong in my IRP canceling code?

None of that is in there; and what _is_ in the book can be found in the DDK and Windbag docs, better written and more asily digested.

Felix Kasza.

6 of 6 people found the following review helpful:

3.0 out of 5 stars Good intro to the debugger, but partially out of date, February 22, 2001

By A Customer

This review is from: Windows 2000 Kernel Debugging (Hardcover)

This book does not teach you how to debug. It's essentially what the debugger documentation should have been 2 years ago.

If you have never done any kernel debugging, this is a good starting point that will give you an overall undertanding of the process and the tools. However, now that Microsoft has rewritten all the debugger documentation, most of this information comes with the online documentation.

The most unfortunate thing in my mind is that the most important chapter - remote debugging - has a major mistake in it: Figure 8-2 is wrong and will totally confuse the reader. Figure 8-2 should have the HOST machine located between the REMOTE and the TARGET machine.

3 of 3 people found the following review helpful:

1.0 out of 5 stars Dont ever buy this book, June 16, 2005

By 

A. Kumar "Kernel Developer" (NJ USA) - See all my reviews
(REAL NAME)   

This review is from: Windows 2000 Kernel Debugging (Hardcover)

This book is all about how to set up the debugger and get some basic information on the error.

WinDbg documentation is much much better than this. If you want some good introductory/advanced information about Kernel Debugging try getting hold of DebugFest materials from Microsoft, sells for some $200 as a kit. Thats a wonderful material on Kernel debugging.

This book deservs 0 stars. Only this i cant rate as zero. Complete watse of money.