Debugging Tips and Tricks


How to find hidden processes


How to find which process is leaking AWE memory


How to find opened handles or loaded dlls in kernel-mode debugging mode


How to get user-mode stacks of WOW64 processes in kernel-mode debugging mode


How to monitor processes start and exit events in kernel-mode debugging mode


How to break at the entry point of a process in kernel-mode debugging mode


How to get full stack in kernel-mode debugging mode


How to save module from native app using SOS.SaveModule command


Debugging Cases


L1C63x64.sys: Bug Check 0xD1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL)

In this case the operating system has been crashing from time to time.


Windows Server 2003: stack overflow

In this case Windows Server 2003 was crashing during boot.


Two bugs in ieframe.dll

In this case Windows Explorer was not responding sporadically for about 10 seconds.


Process Explorer: System hang

In this case the system completely stopped responding and I used a feature of the operating system to force ...


Condrv.sys: Bug Check 0x3B (SYSTEM_SERVICE_EXCEPTION)

The system crashed when I clicked on the "Stop Debugging" button in Visual Studio.


WinDbg: Access violation exception (0xC0000005) when running the !clrstack command

This exception occurs when you run the !clrstack command after the .loadby sos clr command.


File History: Access violation exception (0xC0000005) in fhcfg.dll

This exception occurs when you try to save changes in the Control Panel\System and Security\File History\Exclude Folders.


WinDbg: Access violation exception (0xC0000005) when running the !for_each_module command

This exception occurs when the CommandString parameter for the !for_each_module contains the !address command.


Internet Explorer 11: One-time crash on exit

This case shows us that there is some code that can run without error for years and then one day ends up with a failure.


TFS 2013 Scheduled Backups Failure (TF401009 and TF400997)

When you try one of these scenarios: 1. Create Scheduled Backups (TF401009 and TF400997). 2. Reconfigure Scheduled Backups (TF401009 and TF400997). 3. Restore Databases (TF400997).


The crash of the Visual Studio 2010 when running Code Analysis

Every time when I ran Code Analysis on the project from the Visual Studio 2010 it’s always worked fine, but one day when I ran it right away after the project has been loaded the Visual Studio crashed.


Bug in CryptStringToBinary function

When I was writing the Find tool, I decided to use for conversion hexadecimal strings to binary data the CryptStringToBinary function instead of my own function.


Bug in srchadmin.dll

A few days after my brother installed Windows 8 Developer Preview he told me that when he clicks on the "File Types" in Control Panel Indexing Options->Advanced,  both dialogues (Indexing Options and Advanced Options) disappear in a few seconds.


Bug in cmkd.dll

Once when I was doing debugging using WinDbg, it suddenly stopped responding. After a while I ran another instance and began investigation.