{"id":114,"date":"2007-02-09T11:19:16","date_gmt":"2007-02-09T16:19:16","guid":{"rendered":"http:\/\/www.nynaeve.net\/?p=114"},"modified":"2019-12-13T17:38:39","modified_gmt":"2019-12-13T22:38:39","slug":"enabling-the-local-kernel-debugger-on-vista-rtm","status":"publish","type":"post","link":"http:\/\/www.nynaeve.net\/?p=114","title":{"rendered":"Enabling the local kernel debugger on Vista RTM"},"content":{"rendered":"

If you’re a kernel developer, and you’ve upgraded to Vista, then one of the changes that you may have noticed is that you can’t perform local kernel debugging anymore.<\/p>\n

This is true even if you elevate WinDbg. If you try, you’ll get an error message stating that the debugger failed to get KD version information (error 5), which corresponds to the Win32 ERROR_ACCESS_DENIED error code.<\/p>\n

This is due to a change from Vista RC2 to Vista RTM, where the kernel function responsible for supporting much of the local KD functionality in WinDbg (KdSystemDebugControl<\/em>) was altered to require the system to be booted with \/DEBUG. This is apparent if we compare RC2 to RTM.<\/p>\n

RC2 has the following check in KdSystemDebugControl (one comparison against KdpBootedNodebug<\/em>):<\/p>\n

nt!KdSystemDebugControl:\r\npush    0F4h\r\npush    81841938\r\ncall    nt!_SEH_prolog4\r\nxor     ebx,ebx\r\nmov     dword ptr [ebp-28h],ebx\r\nmov     dword ptr [ebp-20h],ebx\r\nmov     dword ptr [ebp-24h],ebx\r\ncmp     byte ptr [nt!KdpBootedNodebug],bl\r\nje      nt!KdSystemDebugControl+0x2c ; Success\r\nmov     eax,0C0000022h ; STATUS_ACCESS_DENIED<\/pre>\n
On Vista RTM, two additional checks were added against nt!KdPitchDebugger<\/em> and nt!KdDebuggerEnabled<\/em> (disregard the fact that the RTM disassembly is from the x64 version; both the x86 and x64 Vista versions have the same checks):<\/p>\n
nt!KdSystemDebugControl:\r\nmov     qword ptr [rsp+8],rbx\r\nmov     qword ptr [rsp+10h],rdi\r\npush    r12\r\nsub     rsp,170h\r\nmov     r10,rdx\r\nand     dword ptr [rsp+44h],0\r\nand     qword ptr [rsp+48h],0\r\nand     qword ptr [rsp+50h],0\r\ncmp     byte ptr [nt!KdpBootedNodebug)],0\r\njne     nt!KdSystemDebugControl+0x8b7 ; Fail\r\ncmp     byte ptr [nt!KdPitchDebugger],0\r\njne     nt!KdSystemDebugControl+0x8b7 ; Fail\r\ncmp     byte ptr [nt!KdDebuggerEnabled],0\r\nje      nt!KdSystemDebugControl+0x8b7 ; Fail<\/pre>\n
The essence of these checks is that you need to be booted with \/DEBUG enabled in order for local kernel debugging to work.<\/p>\n
There is a simple way to accomplish this, however, without the usual painful aspects of having a kernel debugger attached (e.g. breaking on user mode exceptions or breakpoints).<\/p>\n
All you have to do is enable kernel debugging, and then disable user mode exception handling.  This requires the following options to be set via BCDEdit.exe, the Vista boot configuration database manager:<\/p>\n
    \n
  1. bcdedit \/debug on<\/em>.  This enables kernel debugging for the booted OS configuration.<\/li>\n
  2. bcdedit \/dbgsettings <type> \/start disable \/noumex<\/em> (where type<\/em> corresponds to a usable KD type on your computer, such as 1394).  This disables user mode exception handling for the kernel debugger.  You should still be able to boot the system without a kernel debugger attached.<\/li>\n<\/ol>\n
    After setting these options, reboot, and you should be set.  You’ll now be able to use local KD (you must still remember to elevate the debugger, though), but you won’t have user mode programs try to break into the kernel debugger when they crash without a user mode debugger attached.<\/p>\n
    Note, however, that you’ll still be able to break in to the system with a kernel debugger after boot if you choose these options (and if the box crashes in kernel mode, it’ll freeze waiting for a debugger to attach).  However, at least you will not have to contend with errant user mode programs causing the system to break into the kernel debugger.<\/p>\n","protected":false},"excerpt":{"rendered":"
    If you’re a kernel developer, and you’ve upgraded to Vista, then one of the changes that you may have noticed is that you can’t perform local kernel debugging anymore. This is true even if you elevate WinDbg. If you try, you’ll get an error message stating that the debugger failed to get KD version information […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,5],"tags":[],"_links":{"self":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/114"}],"collection":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=114"}],"version-history":[{"count":1,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/114\/revisions"}],"predecessor-version":[{"id":607,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/114\/revisions\/607"}],"wp:attachment":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}