Alter.Org.UA
 << Back Home UK uk   Donate Donate

Kernel Debugger extension for Log Extraction

DbgPrint logger home

Install

  • WinDbg:

    Copy dbgprn.dll to winext subfolder of your WinDbg installation, e.g. to E:\Program Files\WinDbg\winext. After that log management commands will become available.

    You can download WinDbg from this site:
    http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx.

    You can find more detailes about configuring WinDbg togehter with DbgPrint Dump here: WinDbg HOWTO for QA engineers

    You can use i386kd.exe instead of WinDbg.

  • i386kd.exe NT4: Copy dbgprn.dll to the folder where i386kd.exe is.
  • i386kd.exe 2000: Doesn't work. I don't know why.
  • i386kd.exe XP: Copy dbgprn.dll to winext subfolder which resides near i386kd.exe.

Commands

  • ls, list - view log.
  • save - save log to file.
  • del - purge message buffer on target machine. (since v0.6d)
  • lsig - locate message buffer by looking for signature in physical memory.
  • pause - pause/resume logging. (since v0.6d)
  • drvopt - change logs capturing options. (since v0.7g)

ls, list

This command displays entire internal message buffer or its part in human readable form. You can specify output format with same switches as for DbgPrintLog.exe

Note: In some cases WinDbg may be unable to locate log capturing driver DbgPrnHk.sys in memory. If you are sure that driver was installed and started, you can try to locate it by signature with help of !dbgprn.lsig command. And if you know exact address - it as perfectly (read here for details)

!ls [-h] [-i] [-a] [<1st message> [<last message> | -n <NUM messages>]]
  or
!dbgprn.ls [-h] [-i] [-a] [<1st message> [<last message> | -n <NUM messages>]]
  -h           show this help message
  -a           show all messages and summary info
  -e           show messages from entire buffer, including those are passed
                 up to service and potentially saved to disk (since v0.6e)
  --info       show summary info only (default)
  --start NUM  show starting from NUM message in buffer
  --count NUM  show not more than NUM messages
  --last NUM   show only NUM last messages                   (since v0.5f)
  --next NUM   show only NUM last messages                   (since v0.5f)

    Output format modifiers:

  -m           show initiator mode (K - kernel, U - user)
  -p           show Process ID
  -t           show Thread ID
  -i           show IRQL
  -cpu         show CPU number
  --full       same as -m -p -t -i
  -T           show timestamp
  -fm M        do not show messages from <M> mode (<M> can be K or U)
  -sfp         show Stack Frame Pointer                      (since v0.7)

save

This command saves entire internal message buffer or its part to file.

Note: In some cases WinDbg may be unable to locate log capturing driver DbgPrnHk.sys in memory. If you are sure that driver was installed and started, you can try to locate it by signature with help of !dbgprn.lsig command.

!save [-h] [-a] [<1st message> [<last message> | -n <NUM messages>]] -f <FILENAME>
  or
!dbgprn.save [-h] [-a] [<1st message> [<last message> | -n <NUM messages>]] -f <FILENAME>
  -h           show this help message
  --file NAME  name of the file for saving messages
  -a           save all messages
  -e           show messages from entire buffer, including those are passed
                 up to service and potentially saved to disk (since v0.6e)
  --start NUM  show starting from NUM message in buffer
  --count NUM  show not more than NUM messages
  --last NUM   show only NUM last messages                   (since v0.5f)

    Output format modifiers:

  -m           show initiator mode (K - kernel, U - user)
  -p           show Process ID
  -t           show Thread ID
  -i           show IRQL
  -cpu         show CPU number
  --full       same as -m -p -t -i
  -T           show timestamp
  -fm M        do not show messages from <M> mode (<M> can be K or U)
  --raw        save messages in raw (binary) format          (since v0.6e)
  -sfp         show Stack Frame Pointer                      (since v0.7)

When RAW mode is used, saved file can be converted to human-readable (text) format with help of

    DbgPrintLog.exe --in_file "saved.msg" [<additional options>] "output.log"

del

This command purges internal message buffer on target machine. (since v0.6d)

!del
  or
!dbgprn.del

pause

This command can pause/resume logs capturing on target machine. Toggles pause mode when issued without parameters. '+' makes pause, '-' resumes logs capturing. (since v0.6d)

!pause [+|-]
  or
!dbgprn.pause [+|-]

drvopt

This command changes logs capturing options on target machine. (since v0.6d)

!drvopt <OPTION_NAME> <VALUE>
  or
!dbgprn.drvopt <OPTION_NAME> <VALUE>

Valid OPTION_NAMEs are:

CheckIrql
DoNotPassMessagesDown
StopOnBufferOverflow
TimeStampType
AggregateMessages
DumpToHalDisplay
DumpStackFramePtr
Read documentation for each option description.

lsig

This command looks for message buffer by scaning physical memory for signature. Is useful for the case of damaged system structures.

!lsig --max MAXMEM   look for signature below MAXMEM Mb
!lsig ADDR           check for signature at ADDR virtual address
!lsig -h             show this help messages
!lsig                look for signature through 1Gb

Address of signature page ADDR is printed to log during driver initialization. It looks so:

DbgPrnHkInitialize: Allocated signature page at 0x8078b000 // !dbgprn.lsig 8078b000

This message is visible in debugger even if use use DoNotPassMessagesDown. With this option things are even better: newer messages do not displace this notification.


Please, send your comments and propositions here:

FB or mail alterX@alter.org.ua (remove X)   Share
designed by Alter aka Alexander A. Telyatnikov powered by Apache+PHP under FBSD © 2002-2024