Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)

Start here for an overview of Debugging Tools for Windows. This tool set includes WinDbg and other debuggers.

Install Debugging Tools for Windows

You can get Debugging Tools for Windows as part of a development kit or as a standalone tool set:

As part of the WDK

Debugging Tools for Windows is included in the Windows Driver Kit (WDK). To get the WDK, see Download the Windows Driver Kit (WDK).

As part of the Windows SDK

Debugging Tools for Windows is included in the Windows Software Development Kit (SDK). To download the installer or an ISO image, see Windows 10 SDK on Windows Dev Center.

As a standalone tool set

You can install the Debugging Tools for Windows alone, without the Windows SDK or WDK, by starting installation of the Windows SDK and then selecting only Debugging Tools for Windows in the list of features to install (and clearing the selection of all other features). To download the installer or an ISO image, see Windows 10 SDK on Windows Dev Center.

Get started with Windows Debugging

To get started with Windows debugging, see Getting Started with Windows Debugging.

To get started with debugging kernel-mode drivers, see Debug Universal Drivers — Step by Step Lab (Echo Kernel-Mode). This is a step-by-step lab that shows how to use WinDbg to debug Echo, a sample driver that uses the Kernel-Mode Driver Framework (KMDF).

Debugging environments

If your computer has Visual Studio and the WDK installed, then you have six available debugging environments. For descriptions of these environments, see Debugging Environments.

All of these debugging environments provide user interfaces for the same underlying debugging engine, which is implemented in the Windows Symbolic Debugger Engine (Dbgeng.dll). This debugging engine is also called the Windows debugger, and the six debugging environments are collectively called the Windows debuggers.

Visual Studio includes its own debugging environment and debugging engine, which together are called the Visual Studio debugger. For information on debugging in Visual Studio, see Debugging in Visual Studio. For debugging managed code, such as C#, using the Visual Studio debugger is often the easiest way to get started.

Windows debuggers

The Windows debuggers can run on x86-based, x64-based, or ARM-based processors, and they can debug code that is running on those same architectures. Sometimes the debugger and the code being debugged run on the same computer, but other times the debugger and the code being debugged run on separate computers. In either case, the computer that is running the debugger is called the host computer, and the computer that is being debugged is called the target computer. The Windows debuggers support the following versions of Windows for both the host and target computers.

• WindowsВ 10 and Windows ServerВ 2016
• WindowsВ 8.1 and Windows ServerВ 2012В R2
• WindowsВ 8 and Windows ServerВ 2012
• WindowsВ 7 and Windows ServerВ 2008В R2

Symbols and symbol files

Symbol files store a variety of data that are not required when running the executable binaries, but symbol files are very useful when debugging code. For more information about creating and using symbol files, see Symbols for Windows debugging (WinDbg, KD, CDB, NTSD).

Blue screens and crash dump files

If Windows stops working and displays a blue screen, the computer has shut down abruptly to protect itself from data loss and displays a bug check code. For more information, see Bug Checks (Blue Screens). You analyze crash dump files that are created when Windows shuts down by using WinDbg and other Windows debuggers. For more information, see Crash dump analysis using the Windows debuggers (WinDbg).

Tools and utilities

In addition to the debuggers, Debugging Tools for Windows includes a set of tools that are useful for debugging. For a full list of the tools, see Tools Included in Debugging Tools for Windows.

Additional documentation

For additional information related to Debugging Tools for Windows, see Debugging Resources. For information on what’s new in Windows 10, see Debugging Tools for Windows: New for Windows 10.

Choosing the 32-Bit or 64-Bit Debugging Tools

When you install Debugging Tools for Windows, you get both a 32-bit set of tools and a 64-bit set of tools.

If you are using one of the other debugging environments (WinDbg, KD, CDB, or NTSD), you have to make the choice yourself. To determine which set of debugging tools to use, you need to know the type of processor that is running on your host computer and whether the host computer is running a 32- or 64-bit version of Windows.

The computer that runs the debugger is called the host computer, and the computer being debugged is called the target computer.

Host computer running a 32-bit version of Windows

If your host computer is running a 32-bit version of Windows, use the 32-bit debugging tools. (This situation applies to both x86-based and x64-based targets.)

x64-based host computer running a 64-bit version of Windows

If your host computer uses an x64-based processor and is running a 64-bit version of Windows, the following rules apply:

If you are analyzing a dump file, you can use either the 32-bit debugging tools or the 64-bit debugging tools. (It is not important whether the dump file is a user-mode dump file or a kernel-mode dump file, and it is not important whether the dump file was made on an x86-based or an x64-based platform.)

If you are performing live kernel-mode debugging, you can use either the 32-bit debugging tools or the x64 debugging tools. (This situation applies to both x86-based and x64-based targets.)

If you are debugging live user-mode code that is running on the same computer as the debugger, use the 64-bit tools for debugging 64-bit code and 32-bit code running on WOW64. To set the debugger for 32-bit or 64-bit mode, use the .effmach command.

If you are debugging live 32-bit user-mode code that is running on a separate target computer, use the 32-bit debugging tools.

Отладка 64-разрядных приложений Debug 64-Bit Applications

Существует возможность отладки 64-разрядного приложения, которое выполняется на локальном или удаленном компьютере. You can debug a 64-bit application that is running on the local computer or on a remote computer.

Сведения об отладке 64-разрядного приложения, которое выполняется на удаленном компьютере, см. в статье Remote Debugging. To debug a 64-bit application that is running on a remote computer, see Remote Debugging.

Для отладки 64-разрядных приложений локально в Visual Studio используется 64-разрядная версия рабочего процесса (msvsmon.exe) для выполнения низкоуровневых операций, которые невозможно выполнить в 32-разрядном процессе Visual Studio. To debug 64-bit applications locally, Visual Studio uses a 64-bit worker process (msvsmon.exe) to perform the low-level operations that cannot be done inside of the 32-bit Visual Studio process.

Отладка в смешанном режиме не поддерживается для 64-разрядных процессов, использующих платформу .NET Framework 3.5 или более раннюю версию. Mixed-mode debugging is not supported for 64-bit processes that use .NET Framework version 3.5 or earlier.

Отладка 64-разрядных приложений Debug a 64-bit Application

Чтобы отладить 64-разрядное приложение, выполните следующее. To try debugging a 64-bit application:

Создайте решение Visual Studio, например консольное приложение C#. Create a Visual Studio solution, for example a C# console application.

С помощью Configuration Manager задайте для конфигурации 64-разрядный режим. Set the configuration to 64-bit using the Configuration Manager. Дополнительные сведения см. в разделе Практическое руководство. настроить целевые платформы в проектах. For more information, see How to: Configure Projects to Target Platforms.

На этом этапе запускается 64-разрядная версия удаленного отладчика (msvsmon.exe). At this point the 64-bit version of the remote debugger (msvsmon.exe) starts. Он работает до тех пор, пока открыто решение с 64-разрядной конфигурацией. It runs as long as the solution with the 64-bit configuration is open.

Приступите к отладке. Start debugging. Результат должен быть таким же, как и в случае с 32-разрядной конфигурацией. You should have the same experience as with a 32-bit configuration. Если возникли ошибки, обратитесь к разделу «Устранение проблем», расположенному ниже. If you get errors, see the Troubleshooting section below.

Устранение проблем при 64-разрядной отладке Troubleshooting 64-bit debugging

Может появиться сообщение об ошибке: «64-разрядная операция отладки занимает больше времени, чем ожидалось». You may see an error: «A 64-bit debugging operation is taking longer than expected.» В этом случае из Visual Studio отправлен запрос к 64-разрядной версии msvsmon.exe, и потребовалось много времени на возвращение результата этого запроса. In this case, Visual Studio has sent a request to the 64-bit version of msvsmon.exe, and it has taken a long time for the result of that request to come back.

Есть две основных причины этой ошибки. There are two main causes for this error:

На компьютере установлено программное обеспечение для защиты сети, из-за чего сетевой стек стал ненадежным и стал терять пакеты, идущие через localhost. You have networking security software installed on your computer that has caused the networking stack to be unreliable, and it has dropped packets going over localhost. Попробуйте отключить все программное обеспечение для защиты сети. Try disabling all network security software and see if this resolves it. Если проблема устранена, сообщите поставщику программного обеспечения для защиты сети о том, что его программа мешает трафику localhost. If so, report to your network security software vendor that the software is interfering with localhost traffic.

x64dbg

Check out the blog!

Features

• Open-source
• Intuitive and familiar, yet new user interface
• C-like expression parser
• Full-featured debugging of DLL and EXE files (TitanEngine)
• IDA-like sidebar with jump arrows
• IDA-like instruction token highlighter (highlight registers, etc.)
• Memory map
• Symbol view
• Thread view
• Source code view
• Content-sensitive register view
• Fully customizable color scheme
• Dynamically recognize modules and strings
• Import reconstructor integrated (Scylla)
• Fast disassembler (Zydis)
• User database (JSON) for comments, labels, bookmarks, etc.
• Plugin support with growing API
• Extendable, debuggable scripting language for automation
• Multi-datatype memory dump
• Basic debug symbol (PDB) support
• Dynamic stack view
• Built-in assembler (XEDParse/asmjit)
• Executable patching
• Yara Pattern Matching
• Decompiler (Snowman)
• Analysis

Overview

Active development

x64dbg is under constant active development.

GPLv3

We provide both the executable and the source. Feel free to contribute.

Customizable

Write plugins in C++, change colors and tweak your preferences.

x64/x32 support

x64dbg can debug both x64 and x32 applications. There is only one interface.

Built on open-source libraries

x64dbg uses Qt, TitanEngine, Zydis, Yara, Scylla, Jansson, lz4, XEDParse, asmjit and snowman.

Simple, powerful development

x64dbg uses C++ and Qt to quickly add new features.

Scriptable

x64dbg has an integrated, debuggable, ASM-like scripting language.

Community-aware

x64dbg has many features thought of or implemented by the reversing community.

Extendable

Write plugins to add script commands or to integrate your tools.

Credits

• Debugger core by TitanEngine Community Edition
• Disassembly powered by Zydis
• Assembly powered by XEDParse and asmjit
• Import reconstruction powered by Scylla
• JSON powered by Jansson
• Database compression powered by lz4
• Advanced pattern matching powered by yara
• Decompilation powered by snowman
• Bug icon by VisualPharm
• Interface icons by Fugue
• Website by tr4ceflow

You can find a more exhaustive list of contributers on the wiki.

Download Debugging Tools for Windows

The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes.

To get started with Windows debugging, see Getting Started with Windows Debugging.

Download WinDbg Preview

WinDbg Preview is a new version of WinDbg with more modern visuals, faster windows, and a full-fledged scripting experience. It is built with the extensible object-orientated debugger data model front and center. WinDbg Preview is using the same underlying engine as WinDbg today, so all the commands, extensions, and workflows still work as they did before.

Download WinDbg Preview from the Microsoft Store: WinDbg Preview.

Learn more about installation and configuration in WinDbg Preview — Installation.

Debugging Tools for Windows 10 (WinDbg)

Get Debugging Tools for Windows (WinDbg) from the SDK: Windows 10 SDK. Use the download link on the Windows 10 SDK page, as the Debugging Tools for Windows are not available as part of Visual Studio.

If you just need the Debugging Tools for Windows, and not the Windows Driver Kit (WDK) for Windows 10, you can install the debugging tools as a standalone component from the Windows Software Development Kit (SDK).

In the SDK installation wizard, select Debugging Tools for Windows, and deselect all other components.

Adding the Debugging Tools for Windows if the SDK is already installed

If the Windows SDK is already installed, open Settings, navigate to Apps & features, select Windows Software Development Kit, and then select Modify to change the installation to add Debugging Tools for Windows.

Looking for the debugging tools for earlier versions of Windows?

To download the debugger tools for previous versions of Windows, you need to download the Windows SDK for the version you are debugging from the Windows SDK and emulator archive. In the installation wizard of the SDK, select Debugging Tools for Windows, and deselect all other components.

Learn more about the debuggers

Learn more about WinDbg and other debuggers in Debugging Tools for Windows (WinDbg, KD, CDB, NTSD).