In this episode of Defrag Tools, Andrew Richards and Chad Beeder use Debugging Tools for Windows (WinDbg) to determine the root cause of various application crashes which have occurred on Andrew’s computer. We use Sysinternals ProcDump to capture the dumps.

While debugging, we take a side trip into configuring colors for Compressed and Encrypted files in Windows Explorer, and use Sysinternals Process Monitor to determine why the debugger was getting an Access Denied when loading the PDE Debugger Extension.

We did a similar investigation in these two episodes:

We cover how to install the Debugging Tools for Windows in this episode:

Get the Sysinternals tools from We use:

Get the PDE debugger extension from the Defrag Tools OneDrive

Get your Symbol Path to the Microsoft Public Symbol Server:

  • Via Environment Variable
    setx /m _NT_SYMBOL_PATH SRV*C:MySym*
  • In the Debugger
    .sympath SRV*C:MySym*

To collect dumps of crashes on your own machine, install ProcDump as the Postmortem (AeDebugger) debugger:

md c:dumps
procdump.exe -ma -i c:dumps

On any dump (user or kernel), you can run automated analysis to view the issue:

!analyze -v

Debugging Cheat Sheet

  • c0000005 is an Access Violation – use .ecxr & k
  • c000027b is a Stowed Exception (Store Apps) – use !pde.dse
  • e0434352 is a CLR Exception – use !
  • e0697282 is a C++ Exception – use .ecxr & k
  • 80000003 is a Breakpoint – use !analyze -v
  • When typing a decimal number, prefix it “0n”
  • When typing a hexadecimal number, prefix it “0x” (the default prefix)

Common Debugger Commands

.exr -1

  • View the Exception Code and the Exception Parameters
  • Number looking like C0xxxxxx and 80xxxxxx are HRESULTs (Error Codes)
  • Number looking like 7FFFxxxxxxxx are usually code (assembler) addresses


  • Display the address information – Commited/Reserved/Free, Image/Mapped/Private
  • Used to determine if a number is code or data.


  • List Nearest address
  • Displays the symbol at or near the address
  • Used to determine if a number is code or data.


  • Change the debugging context to the point of the exception (rather than being at the Windows Error Reporting context)


  • View the registers at the current context. (.ecxr produces the same output)


  • View the call stack


  • View loaded module verbosely with a mask
  • View a module’s details, including folder, timestamp, description, copyright, product/file version

| (Vertical Bar or Pipe character)

  • View the executable’s path (e.g. c:windowsnotepad.exe)


  • Get the description of an Error Code. Best at describing System Error Codes.


  • Get the description of an Error Code. Good at describing HRESULTs (80xxxxxx and C0xxxxxx)


  • Scrape the current thread for evidence (symbols, structures, strings, etc.)


  • Displays the number in various formats.
  • Easy way of working out if a number is actually ASCII text, or a date/time


  • Display a CLR Exception.
  • If there is an Inner Exception, click on the link to view it.

.cordll -u & .cordll -l

  • If SOS isn’t loaded, try to do an unload and load of the CLR support.


  • View the Process Environment Block (Modules, Command Line, Environment Variables, etc.)


  • View the current Thread’s Environment Block (Stack Range, Last Error Code, Last Status Code, etc.)


  • Get Last Error
  • Display the Last Error Code and Last Status Code of the current thread


  • Clear the screen.


  • Force a reload (download) of symbols for the modules on the current stack.

.reload /f

  • Force a full reload (download) of symbols for the modules on the current stack.

Store Applications

To view the currently installed Store Applications and their version use:

Registry Editor (regedit.exe)

  • HKEY_CURRENT_USERSOFTWAREClassesActivatableClassesPackage


Source link