Отладка программ Debug programs

Область применения Applies to

В этой статье описываются лучшие методики, расположение, значения, **** управление политиками и вопросы безопасности для параметра политики безопасности программ отлаки. Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting.

Справочные материалы Reference

Этот параметр политики определяет, какие пользователи могут присоединять или открывать любые процессы, даже те, которыми они не владеют. This policy setting determines which users can attach to or open any process, even a process they do not own. Разработчики, которые отладиют собственные приложения, не нуждаются в этом праве пользователя. Developers who are debugging their own applications do not need this user right. Это право пользователя необходимо разработчикам, которые отладит новые компоненты системы. Developers who are debugging new system components need this user right. Это право пользователя предоставляет доступ к конфиденциальным и критически важным компонентам операционной системы. This user right provides access to sensitive and critical operating-system components.

Константа: SeDebugPrivilege Constant: SeDebugPrivilege

Возможные значения Possible values

• Определяемый пользователей список учетных записей User-defined list of accounts
• Не определено Not defined

Рекомендации Best practices

• Назначьте это право только доверенным пользователям, чтобы уменьшить уязвимости системы безопасности. Assign this user right only to trusted users to reduce security vulnerabilities.

Location Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Значения по умолчанию Default values

По умолчанию это право имеют члены группы «Администраторы». By default, members of the Administrators group have this right.

В следующей таблице перечислены фактические и эффективные значения политики по умолчанию для последних поддерживаемых версий Windows. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Значения по умолчанию также можно найти на странице свойств политики. Default values are also listed on the policy’s property page.

Тип сервера или объект групповой политики Server type or GPO	Значение по умолчанию Default value
Default Domain Policy Default Domain Policy	Не определено Not defined
Политика контроллера домена по умолчанию Default Domain Controller Policy	Администраторы Administrators
Параметры по умолчанию для автономного сервера Stand-Alone Server Default Settings	Администраторы Administrators
Действующие параметры по умолчанию для контроллера домена Domain Controller Effective Default Settings	Администраторы Administrators
Действующие параметры по умолчанию для рядового сервера Member Server Effective Default Settings	Администраторы Administrators
Действующие параметры по умолчанию для клиентского компьютера Client Computer Effective Default Settings	Администраторы Administrators

Управление политикой Policy management

В этом разделе описываются функции и средства, которые помогут вам управлять этой политикой. This section describes features and tools that are available to help you manage this policy.

Перезапуск устройства не требуется для того, чтобы этот параметр политики был эффективным. A restart of the device is not required for this policy setting to be effective.

Изменения прав пользователя вступают в силу при его следующем входе в учетную запись. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Групповая политика Group Policy

Параметры применяются в следующем порядке с помощью объекта групповой политики (GPO), который будет перезаписывать параметры на локальном компьютере при следующем обновлении групповой политики: Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

1. Параметры локальной политики Local policy settings
2. Параметры политики сайта Site policy settings
3. Параметры политики домена Domain policy settings
4. Параметры политики подразделения OU policy settings

Если локальный параметр затеняется, это означает, что в настоящее время этот параметр контролируется GPO. When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Вопросы безопасности Security considerations

В этом разделе описывается, каким образом злоумышленник может использовать компонент или его конфигурацию, как реализовать меры противодействия, а также рассматриваются возможные отрицательные последствия их реализации. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Уязвимость Vulnerability

Право пользователя программы отлаки можно использовать для захвата конфиденциальной информации об устройстве из системной памяти, а также для доступа и изменения структуры ядра или приложений. The Debug programs user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Некоторые средства атаки используют это право пользователя для извлечения паролей с использованием hashed и других закрытых сведений о безопасности или для вставки вредоносных программ. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware. По умолчанию право пользователя программ отлаки назначено только администраторам, что помогает снизить риск этой уязвимости. By default, the Debug programs user right is assigned only to administrators, which helps mitigate risk from this vulnerability.

Противодействие Countermeasure

Удалите учетные записи всех пользователей и **** групп, для работы с которые не требуется право пользователя программ отлаки. Remove the accounts of all users and groups that do not require the Debug programs user right.

Возможное влияние Potential impact

Если вы отзовете это право пользователя, никто не сможет отлалать программы. If you revoke this user right, no one can debug programs. Однако в типичных обстоятельствах редко требуется эта возможность на производственных устройствах. However, typical circumstances rarely require this capability on production devices. Если возникает проблема, требуемая отладки приложения на производственном сервере, можно временно переместить сервер в другое подразделение **** и назначить пользователю программ отладки право на отдельную групповую политику для этого подразделения. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU) temporarily and assign the Debug programs user right to a separate Group Policy for that OU.

Debugging Tools for Windows: New for Windows 10

Windbg Preview

For the lastest news on Windows Debugging tools, see WinDbg Preview — What’s New.

WindowsВ 10, version 1703

This section describes new debugging tools in WindowsВ 10, version 1703.

WindowsВ 10, version 1607

This section describes new debugging tools in WindowsВ 10, version 1607.

• New topic about Debugging a UWP app using WinDbg.
• Updates to the 30 most-viewed developer bug check topics in Bug Check Code Reference.

WindowsВ 10

• .settings (Set Debug Settings) — New command that allows you to set, modify, display, load and save settings in the Debugger.Settings namespace.
• dx (Display NatVis Expression) — Describes the new dx debugger command, which displays object information using the NatVis extension model and LINQ support.
• New commands that work with the NatVis visualization files in the debugger environment.
  • .nvlist (NatVis List)
  • .nvload (NatVis Load)
  • .nvunload (NatVis Unload)
  • .nvunloadall (NatVis Unload All)
• Bluetooth Extensions (Bthkd.dll)
• Storage Kernel Debugger Extensions
• New Symproxy information including SymProxy Automated Installation. In addition the following topics are updated to cover new SymProxy functionality:
  • HTTP Symbol Stores
  • SymProxy
  • Installing SymProxy
  • Configuring the Registry
  • Configuring IIS for SymProxy
• CDB Command-Line Options — Updated to include new command line options.
• !analyze — Updated to include information about using this extension with UMDF 2.15.
• !wdfkd.wdfcrashdump— Updated to include information about using this extension with UMDF 2.15
• !irp — Updated. Starting with Windows 10 the IRP major and minor code text is displayed in command output.
• Using Debugger Markup Language — Updated to describe new select-and-hold (or right-click) behavior available in the Debugger Markup Language (DML).
• Crash dump analysis using the Windows debuggers (WinDbg) — Performance has increased in taking a memory dump over KDNET.
• Debug Universal Drivers — Step by Step Lab (Echo Kernel-Mode)- New step by step lab that shows how to use WinDbg to debug the sample KMDF echo driver.

Looking to download the Debugging Tools?

For information on downloading the debugging tools, see Download Debugging Tools for Windows.

Download Debugging Tools for Windows

The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes.

To get started with Windows debugging, see Getting Started with Windows Debugging.

Download WinDbg Preview

WinDbg Preview is a new version of WinDbg with more modern visuals, faster windows, and a full-fledged scripting experience. It is built with the extensible object-orientated debugger data model front and center. WinDbg Preview is using the same underlying engine as WinDbg today, so all the commands, extensions, and workflows still work as they did before.

Download WinDbg Preview from the Microsoft Store: WinDbg Preview.

Learn more about installation and configuration in WinDbg Preview — Installation.

Debugging Tools for Windows 10 (WinDbg)

Get Debugging Tools for Windows (WinDbg) from the SDK: Windows 10 SDK. Use the download link on the Windows 10 SDK page, as the Debugging Tools for Windows are not available as part of Visual Studio.

If you just need the Debugging Tools for Windows, and not the Windows Driver Kit (WDK) for Windows 10, you can install the debugging tools as a standalone component from the Windows Software Development Kit (SDK).

In the SDK installation wizard, select Debugging Tools for Windows, and deselect all other components.

Adding the Debugging Tools for Windows if the SDK is already installed

If the Windows SDK is already installed, open Settings, navigate to Apps & features, select Windows Software Development Kit, and then select Modify to change the installation to add Debugging Tools for Windows.

Looking for the debugging tools for earlier versions of Windows?

To download the debugger tools for previous versions of Windows, you need to download the Windows SDK for the version you are debugging from the Windows SDK and emulator archive. In the installation wizard of the SDK, select Debugging Tools for Windows, and deselect all other components.

Learn more about the debuggers

Learn more about WinDbg and other debuggers in Debugging Tools for Windows (WinDbg, KD, CDB, NTSD).

Windows 10 debug checked

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

I’ve been wondering for a while now when the checked builds for Windows 10 will be made available and the MSDN Online Concierge pointed me here.

The reason I am interested in the checked builds is because I am developing and debugging drivers.

The odd thing is that the MSDN Subscriber Downloads list «Windows 10 Symbols Debug-Checked, Version 1511» and «Windows 10 Symbols Debug/Checked» for x86 and x64 respectively, but there are no corresponding checked builds matching these symbols. So the symbols are pretty much useless.

This inconsistency made me think that this is perhaps an oversight of some kind?

Checked builds are available for earlier Windows versions, but Windows 10 seems to be the one where it stopped being made available. Yet the checked version symbols are readily available.

An official MSFT response would be appreciated.

per aspera ad astra

All replies

The newest checked symbols are for the 1511 build. There are retail symbols through 14295.

These are available on the symbol server (as usual) and download

You will probably not get an «official» MSFT response as anyone who could give it will not read here and anyone who gives it are not official.

Wanikiya and Dyami—Team Zigzag Windows IT-PRO (MS-MVP)

I am looking for the checked builds . I saw the symbols for the checked builds as well and referred to them in my question. What I am looking for, in a sense, is the installation DVD/ISO matching these symbols. I am aware that the symbols are available, so I don’t need those.

And by official I meant preferably someone from Microsoft. I know MSFT employees read here and some are moderators.

per aspera ad astra

In general, only really need it if you are developing a driver, for common users, please don’t use a checked build of Windows as an everyday OS.

According to the content of your post, we know you are a professional drivers developer, please visit the following link for your demand.

Downloading a Checked Build of Windows

Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

Downloading a Checked Build of Windows

Hi, and thanks for the response.

I did follow the link. The first option is what I tried. The checked builds for Windows 10 (RTM and 1511) are not available there as I pointed out in my question. MSDN Subscriber Downloads don’t list the actual builds, only the symbols.

The second option (Download Center) looked promising, since I hadn’t tried that before. Unfortunately Windows 10 also does not appear as a checked build there.

And yes, I agree that no one should run a checked build day-to-day. There are sometimes driver and application issues of third party drivers/applications in which checked builds behave too correct, causing a BSOD or the application crash. The free (release) builds are much more forgiving.

per aspera ad astra

per aspera ad astra

Have you installed Windows Driver Kit – Windows 10.0.10586.0 for your development?

If you have installed, is this tool unable to meet your requirement?

Please understand that we have no condition to test this tool, because we don’t work on drivers development.

I visit MSDN subscription page, as you said, it only supplies Windows 10 Symbols Debug/Checked.

Therefore, if you think current situation is in a dilemma, you could feedback to Windows Kits developer by this app.

Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

• Edited by Teemo Tang Microsoft contingent staff Friday, April 8, 2016 8:20 AM

thanks again. The WDK doesn’t solve my problem and for all I know completely different teams may work on preparing, and making checked builds or the WDK available. However, I’ll also try this suggested route. The WDK folks usually care about the needs of driver developers.

Good suggestion. Thanks a lot for caring!

NB: will leave this open for now, until I find a solution, so I can post it here.

btw: is there a way to upvote your responses? The up-arrows don’t seem to work.

per aspera ad astra

So, current status for now. The paid (through MSDN) support inquiry did not yield anything new. The lady referred me to the local hotline of the Visual Studio Subscriptions Customer Service Centers . I pointed out that the MSDN Online Concierge did not yield anything more and that I would have expected more from a paid support inquiry.

I also pointed her to this thread from the OSR ntdev mailing list archive from October 2015 which discusses the availability of the Windows 10 Checked Build and, as Peter from OSR points out, the fact that it is unavailable on MSDN subscriber downloads, but available on DreamSpark. Proven by a screenshot.

After calling the local Visual Studio Subscriptions Customer Service Centers hotline, I am still left with nothing.

The lack of availability is evident, but they could not make any statement as to why.

Originally the lady on that second call promised me to get me some relevant contact before putting me on hold. But when she came back online she told me that she would inquire internally about the issue and then get in touch with me via email.