Home > Debugging > Debugging for Starters – I

Debugging for Starters – I

November 24th, 2011 Leave a comment Go to comments

Debugging for Starters – I

There are many articles on the web on this topic with some very good technical details and deep-dive. However, when I started debugging it was bit difficult to find the starting point. Most of the articles or books I found are covering high-level debugging. Also, Windows Internal is must to understand the whole aspect. But I was more interested in ‘quick’ and ‘short-route’. Being from System Administration and consulting background, I was more interested in find the easy way to move the issue to second-level. In this series, I will try to document my experience and learning on this area.

Please note I am not recommending anybody not to study Windows Internal, etc; however, you can use the technique to give yourself start on this area and then develop your skills further. I am going to refer multiple books and website specially – Windows Internal written by Mark Russinovich and David Solomon (Excellent book! it’s an ocean of knowledge, the more you read, the more you like) and http://dumpanalysis.org/ .

So today, I will introduce couple of terms that we are going to use in this series. I am planning to document and show some examples in next 3-4 articles but will keep adding informations as and when I have free time.

OS LevelMode – The Windows operating system can be conceptually divided into 2 parts:

  • User Space (User Mode) Applications runs in User Mode. In User mode, the executing code has no ability to directly access hardware or reference memory. Code running in user mode must delegate to system APIs to access hardware or memory. Because of this, if any application running in this mode crash, it will be recoverable and it will not going to crash your machine (no BSOD).
  • Kernel Space (Kernel Mode) – When Windows is first loaded, the Windows kernel is started. It runs in kernel mode and sets up paging and virtual memory. It then creates some system processes and allows them to run in user mode. In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. If something goes wrong here, it will generate BSOD.

Process – You can consider it as a program, it provides all necessary resources to run a program like virtual address space, executable code, security context, etc. It usually start with single thread and create additional thread as and when require. For example, in below screen-shot of Windows Task Manager winword.exe is a process:-

Thread – You can think it as a actual code that runs inside a process, all threads of a process share its virtual address space and system resources.


Stack – is a pile of object or in simple terms, currently running codes. A Simple example – assume you are reading a book, however, you need to refer couple of other books to understand some part. So you are at a page and you need to understand the meaning of it, you put your first book down and take English dictionary to find the meaning, you keep it on top of first book and then, may be French dictionary to see what it called in French. Once you finished, you remove everything from this stack and continue reading. Same concept is there in program execution; it calls for some functioncode, run it and then may be call another functioncode to queryretrieve some other info.

Dumps – There are typically three types of dumps used for troubleshooting purpose: -

  • User dump – it contains Process memory.
  • Kernel dump – it contains OS kernel memory (Post-mortem dump after BSOD)
  • Complete dump – it contains everything. Physical memory (kernel memory + processes)

For troubleshooting-purpose, if possible, it will be good to have Complete Memory Dump, however, other two types of dumps are also very helpful for specific analysis.

(Ref: – Windows Internal 5th edition by Mark Russinovich and David Solomon and www.dumpanalysis.org)

  1. John
    November 28th, 2011 at 21:55 | #1

    Thanks, that’s very useful… looking forward to next in this series…

  2. April 28th, 2012 at 23:51 | #2

    Very good analysis on a subject often treated badly on the web. I stumbled upon your blog and I commend you for your work.

    PS: Sorry I speak little English but I am French and no interesting blog on the subject in my country.

    Best regards,

  1. December 1st, 2011 at 11:57 | #1
  2. December 6th, 2011 at 21:23 | #2
  3. December 13th, 2011 at 22:12 | #3