WinDbg Cheat Sheet - Data Structures, Commands and Extensions

x BlueRobot · Jun 27, 2014

I've created my WinDbg Cheat Sheet (.DOC) which is able to download from my OneDrive, and I'm going to attach the file to this post too. I've excluded LPCs, Registry and the Heap because they were too long and would take about 2/3 pages in total.

I'm planning to convert some of my blog posts into a printable .DOC format, unfortunately I haven't added the images to conserve paper and ink. However, I've edited the .DOC version slightly to compensate for this. I've got a few finished already but will probably upload them all in a single folder at a later date.

Any suggestions or corrections then please post them here.

**Update**

I've just remembered the !cpuinfo and !cpuid extensions. I've also corrected a mistake with the !system extension, it should have been !sysinfo.

Please check my latest post here, for the latest version of the cheat sheet.

*Update (21/05/2021)*

Please find the latest version attached.

niemiro · Jun 28, 2014

This is amazing - thanks so much for it! I don't do that much debugging anymore having moved mostly into Windows Update, and I find it difficult to always remember how each of the commands work. This looks great :)

x BlueRobot · Jun 28, 2014

niemiro said:
This is amazing - thanks so much for it! I don't do that much debugging anymore having moved mostly into Windows Update, and I find it difficult to always remember how each of the commands work. This looks great :)

Thanks, glad you like it!

Patrick · Jun 30, 2014

Great reference, Harry.

Thanks!

usasma · Jul 2, 2014

Nice work! Thanks!

x BlueRobot · Jul 3, 2014

**WinDbg Cheat Sheet Latest Version**

The new version is also on my OneDrive. The URL in is my blog post.

blueelvis · Jul 6, 2014

Great work mate!

I have formatted the whole thing and re uploaded again. Also, added the Author and specified your profile over Sysnative. Here it is (I hope you don't mind :) ).

https://drive.google.com/file/d/0BxvVSbxNMdsIcWRDMFdTLWFFVkE/edit?usp=sharing

x BlueRobot · Nov 13, 2014

*Update*

Added:

Power Policy Extensions
SwishDbgExt and ProcDumpExt
Registry Extensions and Data Structures
Local Inter-Process Calls (LPCs) Extensions
Heap Data Structures and Extensions
Windows Access Tokens
Miscellaneous

I've added a Contents section which is hyperlinked locally to the appropriate headings within the document. It should hopefully help improve the readability since I've added around 3-4 pages.

philc43 · Sep 11, 2017

Any idea if SwishDbgExt and ProcDumpExt dll files are still available anywhere for download?

axe0 · Sep 11, 2017

ProcDumpExt dll is I believe no longer available for quite some time. I think the same counts for the SwishDbgExt dll.

x BlueRobot · Sep 12, 2017

ProcDumpExt isn't publicly available anymore unfortunately, however, SwishDbgExt can still be downloaded from https://github.com/comaeio/SwishDbgExt

Fortunately, I still have a x86 version of the ProcDumpExt.dll which have added to my OneDriver Public folder - https://1drv.ms/u/s!AhMRd9NefIbhacsP4BU4QTIYlUM

I'll look at reviewing and the updating this document too.

philc43 · Oct 16, 2017

I have discovered that Andrew Richards (author of ProcDumpExt) has made a new version of this extension called Prototype Debugger Extension (PDE). It is available on his publically shared OneDrive

Download the current version (ver 11.3) zip file, locate the appropriate PDE.dll file (either x64 or x86) and copy to your WinDBG directory e.g. C:\Program Files (x86)\Windows Kits\10\Debuggers\x64

Useful commands can be viewed by loading the extension and then viewing the help.

Code:

[COLOR=#1e1e1e]4: kd> !load PDE[/COLOR]
[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e] PDE v11.3 - Copyright 2017 Andrew Richards[/COLOR]
[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]4: kd> !help[/COLOR]
[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e] [/COLOR][U][COLOR=#0066cc]Help[/COLOR][/U][COLOR=#1e1e1e] for [/COLOR][B][COLOR=#1e1e1e]Prototype Debugger Extension (PDE) v11.3[/COLOR][/B][COLOR=#1e1e1e] - Copyright 2009-2017 Andrew Richards[/COLOR]
[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !seek          - Equivalent of ~*knL and/or !deep 1[/COLOR]

[COLOR=#1e1e1e]  !seek [-q] [-e symbol] [<symbol> [command]][/COLOR]
[COLOR=#1e1e1e]                 - Execute 'command' against stacks that contain 'symbol'[/COLOR]
[COLOR=#1e1e1e]                    (Note, don't include a displacement in the specified symbol)[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-q' (quiet) to omit the per-thread header[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-e' to exclude stacks that contain 'symbol'[/COLOR]
[COLOR=#1e1e1e]                    (Note, don't include a displacement in the specified symbol)[/COLOR]

[COLOR=#1e1e1e]                   e.g. !seek[/COLOR]
[COLOR=#1e1e1e]                        !seek ReadFile[/COLOR]
[COLOR=#1e1e1e]                        !seek ReadFile kbn[/COLOR]
[COLOR=#1e1e1e]                        !seek ReadFile dps @rsp @rsp+0x20[/COLOR]
[COLOR=#1e1e1e]                        !seek -q ReadFile !teb[/COLOR]
[COLOR=#1e1e1e]                        !seek -e SleepEx ReadFile !teb[/COLOR]

[COLOR=#1e1e1e]  !seek -?        - Display the help for !seek[/COLOR]
[COLOR=#1e1e1e]  !seek -help     - Display the help for !seek[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !deep          - Equivalent of ~*knL but only displays stacks that are at least[/COLOR]
[COLOR=#1e1e1e]                   'depth' frames deep (default depth is 1)[/COLOR]

[COLOR=#1e1e1e]  !deep [<depth> [-q] [-s symbol] [-e symbol] [command]][/COLOR]
[COLOR=#1e1e1e]                 - Execute 'command' against stacks that are at least 'depth' frames deep[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-q' (quiet) to omit the per-thread header[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-s' to only include stacks that contain 'symbol'[/COLOR]
[COLOR=#1e1e1e]                    (Note, don't include a displacement in the specified symbol)[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-e' to exclude stacks that contain 'symbol'[/COLOR]
[COLOR=#1e1e1e]                    (Note, don't include a displacement in the specified symbol)[/COLOR]

[COLOR=#1e1e1e]                   e.g. !deep[/COLOR]
[COLOR=#1e1e1e]                        !deep 25[/COLOR]
[COLOR=#1e1e1e]                        !deep 25 kbn[/COLOR]
[COLOR=#1e1e1e]                        !deep 25 dps @rsp @rsp+0x20[/COLOR]

[COLOR=#1e1e1e]                        !deep 25 -q[/COLOR]
[COLOR=#1e1e1e]                        !deep 25 -q !teb[/COLOR]

[COLOR=#1e1e1e]                        !deep 25 -s ReadFile[/COLOR]
[COLOR=#1e1e1e]                        !deep 25 -s ReadFile kbn[/COLOR]
[COLOR=#1e1e1e]                        !deep 25 -s ReadFile dps @rsp @rsp+0x20[/COLOR]

[COLOR=#1e1e1e]                        !deep 25 -e SleepEx[/COLOR]
[COLOR=#1e1e1e]                        !deep 25 -e SleepEx kbn[/COLOR]
[COLOR=#1e1e1e]                        !deep 25 -e SleepEx dps @rsp @rsp+0x20[/COLOR]

[COLOR=#1e1e1e]  !deep -?        - Display the help for !deep[/COLOR]
[COLOR=#1e1e1e]  !deep -help     - Display the help for !deep[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !busy          - Equivalent of ~*knL but only displays stacks that are at least[/COLOR]
[COLOR=#1e1e1e]                   'depth' frames deep (default depth is 1) and are not waiting for:-[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!NtWaitFor*[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!ZwWaitFor*[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!NtRemoveIoCompletion[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!ZwRemoveIoCompletion[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!NtReplyWaitReceivePort[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!ZwReplyWaitReceivePortEx[/COLOR]

[COLOR=#1e1e1e]  !busy [<depth> [-x] [-q] [-s symbol] [-e symbol] [command]][/COLOR]
[COLOR=#1e1e1e]                 - Execute 'command' against stacks that are at least 'depth' frames deep[/COLOR]
[COLOR=#1e1e1e]                   and are not waiting (for the list above)[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-x' to also exclude waiters of network calls, sleeps nad messages:-[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!NtRequestWaitReplyPort[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!ZwRequestWaitReplyPort[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!NtDelayExecution[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!ZwDelayExecution[/COLOR]
[COLOR=#1e1e1e]                    ~ ntdll!RtlDeactivateActivationContextUnsafeFast[/COLOR]
[COLOR=#1e1e1e]                    ~ *!NtUserWaitMessage[/COLOR]
[COLOR=#1e1e1e]                    ~ *!ZwUserWaitMessage[/COLOR]
[COLOR=#1e1e1e]                    ~ *!ZwUserGetMessage[/COLOR]
[COLOR=#1e1e1e]                    ~ *!NtUserGetMessage[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-q' (quiet) to omit the per-thread header[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-s' to only include stacks that contain 'symbol'[/COLOR]
[COLOR=#1e1e1e]                    (Note, don't include a displacement in the specified symbol)[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-e' to exclude stacks that contain 'symbol'[/COLOR]
[COLOR=#1e1e1e]                    (Note, don't include a displacement in the specified symbol)[/COLOR]

[COLOR=#1e1e1e]                   e.g. !busy[/COLOR]
[COLOR=#1e1e1e]                        !busy 25[/COLOR]
[COLOR=#1e1e1e]                        !busy 25 kbn[/COLOR]
[COLOR=#1e1e1e]                        !busy 25 dps @rsp @rsp+0x20[/COLOR]

[COLOR=#1e1e1e]                        !busy 25 -x[/COLOR]
[COLOR=#1e1e1e]                        !busy 25 -x kbn[/COLOR]
[COLOR=#1e1e1e]                        !busy 25 -x dps @rsp @rsp+0x20[/COLOR]

[COLOR=#1e1e1e]                        !busy 25 -q[/COLOR]
[COLOR=#1e1e1e]                        !busy 25 -q !teb[/COLOR]

[COLOR=#1e1e1e]                        !busy 25 -s ReadFile[/COLOR]
[COLOR=#1e1e1e]                        !busy 25 -s ReadFile kbn[/COLOR]
[COLOR=#1e1e1e]                        !busy 25 -s ReadFile dps @rsp @rsp+0x20[/COLOR]

[COLOR=#1e1e1e]                        !busy 25 -e SleepEx[/COLOR]
[COLOR=#1e1e1e]                        !busy 25 -e SleepEx kbn[/COLOR]
[COLOR=#1e1e1e]                        !busy 25 -e SleepEx dps @rsp @rsp+0x20[/COLOR]

[COLOR=#1e1e1e]  !busy -?        - Display the help for !busy[/COLOR]
[COLOR=#1e1e1e]  !busy -help     - Display the help for !busy[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !dpx           - Equivalent of dps, dpp, dpa and dpu (combined); also class types (dt) and trap frames (kV)[/COLOR]

[COLOR=#1e1e1e]  !dpx           - Displays from stack pointer to the stack base[/COLOR]
[COLOR=#1e1e1e]  !dpx N         - Displays the first N values, from the stack pointer down[/COLOR]
[COLOR=#1e1e1e]  !dpx <addr> N[/COLOR]
[COLOR=#1e1e1e]                 - Displays the first N values, from <addr> down[/COLOR]
[COLOR=#1e1e1e]  !dpx <addr> <addr>[/COLOR]
[COLOR=#1e1e1e]                 - Displays from addr to addr[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-u' to display an unlimited number of values[/COLOR]
[COLOR=#1e1e1e]                   Default limit is 6,000 addresses[/COLOR]

[COLOR=#1e1e1e]                 - Specify '-a' to display all stack values[/COLOR]
[COLOR=#1e1e1e]                   Default only displays stack values that point to a value[/COLOR]

[COLOR=#1e1e1e]                 - Interface pointers are adjusted to align with the class's virtual function table (vftable)[/COLOR]
[COLOR=#1e1e1e]                 - When there is a value adjustment, the pointer is displayed in [/COLOR][COLOR=#ff9933]light blue[/COLOR][COLOR=#1e1e1e] text[/COLOR]

[COLOR=#1e1e1e]                 - Specify the following to limit the types; multiple options are allowed[/COLOR]
[COLOR=#1e1e1e]                   -da : [/COLOR][COLOR=#a31515]ANSI strings[/COLOR]
[COLOR=#1e1e1e]                   -du : [/COLOR][COLOR=#a31515]UNICODE strings[/COLOR]
[COLOR=#1e1e1e]                   -dt : [/COLOR][COLOR=#008000]Data Types[/COLOR]
[COLOR=#1e1e1e]                   -ds : [/COLOR][COLOR=#000080]Symbols[/COLOR]
[COLOR=#1e1e1e]                   -df : Trap Frames (Kernel only)[/COLOR]
[COLOR=#1e1e1e]                   -dse: Stowed Exceptions (WinRT apps only)[/COLOR]


[COLOR=#1e1e1e]                   e.g. !dpx[/COLOR]
[COLOR=#1e1e1e]                        !dpx 20[/COLOR]
[COLOR=#1e1e1e]                        !dpx -a[/COLOR]
[COLOR=#1e1e1e]                        !dpx -da -du 20[/COLOR]
[COLOR=#1e1e1e]                        !dpx <addr> <addr> -u[/COLOR]
[COLOR=#1e1e1e]                        !dpx <addr> <addr> -u -a[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !spx           - Find an expression (number) or data type (symbol)[/COLOR]
[COLOR=#1e1e1e]                 - Search is pointer aligned[/COLOR]
[COLOR=#1e1e1e]                 - Special handling for multiple interface classes[/COLOR]
[COLOR=#1e1e1e]                 - Add -dt to perform a 'dt' on each address[/COLOR]
[COLOR=#1e1e1e]                 - Very fast in User Mode[/COLOR]
[COLOR=#1e1e1e]                 - Very slow in Kernel Mode[/COLOR]

[COLOR=#1e1e1e]  !spx [-dt] [-s <addr>] [-e <addr>] <expression>[/COLOR]

[COLOR=#1e1e1e]                   e.g. !spx combase!CComApartment[/COLOR]
[COLOR=#1e1e1e]                        !spx -dt combase!CComApartment[/COLOR]
[COLOR=#1e1e1e]                        !spx -s @rsp -e @rsp+1000 0x1234000+0n56[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !ssz           - Find ANSI and UNICODE strings[/COLOR]
[COLOR=#1e1e1e]  !ssa           - Find ANSI strings[/COLOR]
[COLOR=#1e1e1e]  !ssu           - Find UNICODE strings[/COLOR]
[COLOR=#1e1e1e]                 - Search is case sensitive[/COLOR]
[COLOR=#1e1e1e]                 - Displays up to 200 characters after the initial match[/COLOR]
[COLOR=#1e1e1e]                 - UNICODE search is a conversion of the ANSI command line[/COLOR]
[COLOR=#1e1e1e]                 - Very FAST in User Mode[/COLOR]
[COLOR=#1e1e1e]                 - Very slow in Kernel Mode[/COLOR]

[COLOR=#1e1e1e]  !ssz [-s <addr>] [-e <addr>] <string>[/COLOR]
[COLOR=#1e1e1e]  !ssa [-s <addr>] [-e <addr>] <string>[/COLOR]
[COLOR=#1e1e1e]  !ssu [-s <addr>] [-e <addr>] <string>[/COLOR]

[COLOR=#1e1e1e]                   e.g. !ssz Program Files[/COLOR]
[COLOR=#1e1e1e]                        !ssz Windows[/COLOR]
[COLOR=#1e1e1e]                        !ssz -s @rsp -e @rsp+1000 User[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !dtr           - Equivalent of dt for each valid register[/COLOR]
[COLOR=#1e1e1e] [/COLOR]
[COLOR=#1e1e1e]  !dtr [args][/COLOR]
[COLOR=#1e1e1e]  !dtr           - Lists registers that point to an address; includes class type[/COLOR]
[COLOR=#1e1e1e]  !dtr <arg>     - Equivalent of dt @reg <arg> for each valid register[/COLOR]
[COLOR=#1e1e1e]                     !dtr <arg> --> dt @reg <arg>[/COLOR]

[COLOR=#1e1e1e]                   e.g. !dtr[/COLOR]
[COLOR=#1e1e1e]                        !dtr nt!_ERESOURCE[/COLOR]
[COLOR=#1e1e1e]                        !dtr nt!_ERESOURCE Flag[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !grep          - Only shows lines which contain <search>[/COLOR]
[COLOR=#1e1e1e]                 - Search is case insensitive[/COLOR]
[COLOR=#1e1e1e]                 - Lines are delimited by newline ('\n')[/COLOR]
[COLOR=#1e1e1e]                 - !grep can be chained[/COLOR]

[COLOR=#1e1e1e]  !grep <search> <command>[/COLOR]

[COLOR=#1e1e1e]                   e.g. !grep days vertarget[/COLOR]
[COLOR=#1e1e1e]                        !grep call u @eip[/COLOR]
[COLOR=#1e1e1e]                        !grep dt !dpx[/COLOR]
[COLOR=#1e1e1e]                        !grep dt !grep DUser !dpx[/COLOR]

[COLOR=#1e1e1e]  !ungrep        - Same as !grep but exclusion[/COLOR]

[COLOR=#1e1e1e]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-[/COLOR]
[COLOR=#1e1e1e]  !bold          - Highlight the lines which contain <search>[/COLOR]
[COLOR=#1e1e1e]                 - Search is case insensitive[/COLOR]
[COLOR=#1e1e1e]                 - Lines are delimited by newline ('\n')[/COLOR]

[COLOR=#1e1e1e]  !bold <search> <command>[/COLOR]

[COLOR=#1e1e1e]                   e.g. !bold version vertarget[/COLOR]
[COLOR=#1e1e1e]                        !bold call uf ntdll!RtlUserThreadStart[/COLOR]

[COLOR=#1e1e1e]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-[/COLOR]
[COLOR=#1e1e1e]  !head          - Display the first N bytes of a command[/COLOR]
[COLOR=#1e1e1e]  !tail          - Display the last N bytes of a command[/COLOR]

[COLOR=#1e1e1e]  !head <bytes> <command>[/COLOR]
[COLOR=#1e1e1e]  !tail <bytes> <command>[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !ghostthreads  - Lists all threads; real or ghosts[/COLOR]
[COLOR=#1e1e1e]  !gt            - Same as !ghostthreads[/COLOR]

[COLOR=#1e1e1e]  !gt [command]  - If 'command' is specified, the command is run[/COLOR]
[COLOR=#1e1e1e]                   for each thread, instead of the summary table.[/COLOR]

[COLOR=#1e1e1e]                 - The following substitutions are made:[/COLOR]
[COLOR=#1e1e1e]                   - $teb   - TEB Address[/COLOR]
[COLOR=#1e1e1e]                   - $base  - Stack Base Address[/COLOR]
[COLOR=#1e1e1e]                   - $limit - Stack Limit Address[/COLOR]

[COLOR=#1e1e1e]                   e.g. !gt !teb $teb[/COLOR]
[COLOR=#1e1e1e]                        !gt !dpx $base $limit[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !loadsos        - Runs #1[/COLOR]
[COLOR=#1e1e1e]  !loadpsscor     - Runs #2[/COLOR]
[COLOR=#1e1e1e]  !loadsosex      - Runs #3[/COLOR]
[COLOR=#1e1e1e]  !loadspext      - Runs #4[/COLOR]

[COLOR=#1e1e1e]  Define PDE_LOADCORDLL to change the default (at load)[/COLOR]
[COLOR=#1e1e1e]                  0 = Disabled[/COLOR]
[COLOR=#1e1e1e]                  1 = SOS (default)[/COLOR]
[COLOR=#1e1e1e]                  2 = PSSCORx + SOSEX[/COLOR]
[COLOR=#1e1e1e]                  3 = SOS + SOSEX[/COLOR]
[COLOR=#1e1e1e]                  4 = SOS + SOSEX + SPEXT [/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  !comment        - Display the dump's comment (with DML)[/COLOR]

[COLOR=#1e1e1e]  !notes          - Executes commands based on the dump type - starts your case notes[/COLOR]
[COLOR=#1e1e1e]  !exr            - Executes commands based on the exception code (.exr -1)[/COLOR]

[COLOR=#1e1e1e]  !line           - Print a line[/COLOR]
[COLOR=#1e1e1e]  !bigline        - Print three big lines[/COLOR]

[COLOR=#1e1e1e]  !du <addr>      - Display a UNICODE string (up to 4Gb)[/COLOR]
[COLOR=#1e1e1e]  !da <addr>      - Display a ANSI string (up to 4Gb)[/COLOR]
[COLOR=#1e1e1e]  !err <code>     - Display an Error Code[/COLOR]
[COLOR=#1e1e1e]  !guid <addr>    - Display a GUID[/COLOR]

[COLOR=#1e1e1e]  !url <url>      - Open a url; use !ext.url instead[/COLOR]

[COLOR=#1e1e1e]  !kr             - knL printed upside down so WinDiff works better[/COLOR]

[COLOR=#1e1e1e]  !dtr            - Displays Data Types in Registers[/COLOR]
[COLOR=#1e1e1e]  !msr            - Displays the Model-Specific Registers (MSR)[/COLOR]

[COLOR=#1e1e1e]  !stowedexceptions[/COLOR]
[COLOR=#1e1e1e]                  - Display the Stowed Exceptions of a Store app[/COLOR]
[COLOR=#1e1e1e]  !dse            - Same as !stowedexceptions[/COLOR]
[COLOR=#1e1e1e]  !bgtask         - Display the Background Tasks of a Store app[/COLOR]

[COLOR=#1e1e1e]  !symsrvaudit    - Display the SRV status of each lookup made during the command[/COLOR]
[COLOR=#1e1e1e]                  - Command defaults to ".reload /f"[/COLOR]

[COLOR=#1e1e1e]  !diadump <module>[/COLOR]
[COLOR=#1e1e1e]                  - Dump the DIA Tables and Assembly Information of the specified Module[/COLOR]

[COLOR=#1e1e1e]  !dbgp           - Dump a DBGP ACPI table[/COLOR]
[COLOR=#1e1e1e]  !dbg2           - Dump a DBG2 ACPI table[/COLOR]
[COLOR=#1e1e1e]  !msdm           - Dump a MSDM ACPI table[/COLOR]
[COLOR=#1e1e1e]  !slic           - Dump a SLIC ACPI table[/COLOR]

[COLOR=#1e1e1e]  !dmem           - Display the Memory Regions of a User Mode dump[/COLOR]
[COLOR=#1e1e1e]  !vmem           - Display the Virtual Regions of a User Mode process[/COLOR]

[COLOR=#1e1e1e]  !tags [GUID]    - List the GUID and Size of the secondary callback chunks[/COLOR]
[COLOR=#1e1e1e]  !tagshex [GUID] - List the GUID and Size of the secondary callback chunks, and dump in HEX[/COLOR]
[COLOR=#1e1e1e]  !tagstext [GUID]- List the GUID and Size of the secondary callback chunks, and dump in TEXT[/COLOR]

[COLOR=#1e1e1e]  !crashtask      - Enable crashdump support on the current (modern) process[/COLOR]

[COLOR=#1e1e1e]  !dml            - Toggle .prefer_dml[/COLOR]
[COLOR=#1e1e1e]  !dmlraw         - Print DML output as TEXT (used to review DML)[/COLOR]

[COLOR=#1e1e1e]  !help           - Displays the help for all commands[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]
[COLOR=#1e1e1e]  -- Defaults -- [/COLOR]
[COLOR=#1e1e1e]  DML On          - .prefer_dml 1[/COLOR]
[COLOR=#1e1e1e]  UNICODE On      - .enable_unicode 1[/COLOR]
[COLOR=#1e1e1e]  Ignore Pages On - .ignore_missing_pages 1[/COLOR]
[COLOR=#1e1e1e]  Lines Disabled  - .lines -d[/COLOR]

[COLOR=#1e1e1e]  -- Aliases -- [/COLOR]
[COLOR=#1e1e1e]  symoff          - .outmask- 0x200[/COLOR]
[COLOR=#1e1e1e]  symon           - .outmask+ 0x200[/COLOR]
[COLOR=#1e1e1e]  dml             - !PDE.dml[/COLOR]
[COLOR=#1e1e1e]  av              - !ext.analyze -nodb -v[/COLOR]
[COLOR=#1e1e1e]  avv             - !ext.analyze -nodb -v6[/COLOR]
[COLOR=#1e1e1e]  ax              - !ext.analyze -nodb -xml[/COLOR]
[COLOR=#1e1e1e]  axv             - !ext.analyze -nodb -xml -xcs -xmi[/COLOR]
[COLOR=#1e1e1e]  axs             - !ext.analyze -nodb -xsd[/COLOR]
[COLOR=#1e1e1e]  show            - !ext.analyze -show[/COLOR]
[COLOR=#1e1e1e]  sn              - !sym noisy[/COLOR]
[COLOR=#1e1e1e]  sq              - !sym quiet[/COLOR]
[COLOR=#1e1e1e]  rf              - .reload /f[/COLOR]
[COLOR=#1e1e1e]  ru              - .reload /u[/COLOR]

[COLOR=#1e1e1e]=========================================================================================[/COLOR]

x BlueRobot · Jun 21, 2020

I've updated the WinDbg cheat sheet again, this is currently a working draft copy, since there is still some commands which I want to add. I've changed the formatting slightly too, so hopefully it should be more readable.

x BlueRobot · Jun 22, 2020

I've added several new commands, some of which are undocumented. Please find the latest version attached.

xrobwx71 · Aug 18, 2020

x BlueRobot said:
I've added several new commands, some of which are undocumented. Please find the latest version attached.

Thanks!

ssherjj · Aug 19, 2020

Thank you! A lot of learning information here for me. ☺

x BlueRobot · Jan 31, 2021

To be added:

- !ndiskd.*
- !wdfkd.*
- !fltkd.*

x BlueRobot · Apr 26, 2021

I've now updated the WinDbg cheat sheet again. Please check my original post for the latest version. Please feel free to amend the .doc version to your liking, I don't think I've missed anything?

I've removed the third-party debugger extensions since it would have taken a couple more pages up and I'm trying to keep the document as short as possible.

x BlueRobot · May 21, 2021

I've updated the cheat sheet with a few data structures and have fixed the contents page. I've also corrected the description for the !whea command and added !diskinfo along with the flags for !drvobj. Please see the latest version attached to the top of this thread.

WinDbg Cheat Sheet - Data Structures, Commands and Extensions

Administrator

Attachments

Senior Administrator, Windows Update Expert

Administrator

Sysnative Staff

Retired Admin

Administrator

Attachments

BSOD Kernel Dump Senior Analyst

Administrator

Attachments

BSOD Forum Moderator, BSOD Academy Instructor, BSOD Kernel Dump Expert

Administrator, BSOD Academy Instructor, Security Analyst

Administrator

BSOD Forum Moderator, BSOD Academy Instructor, BSOD Kernel Dump Expert

Administrator

Attachments

Administrator

Attachments

Administrator

Sysnative StaffMicrosoft MVPContributor

Administrator

Administrator

Administrator

Administrator,
BSOD Academy Instructor,
Security Analyst

Sysnative Staff
Microsoft MVP
Contributor