WinDbg is a powerful debugger used to analyze crashes, hangs, and other software issues in Windows. Among its many features, the !analyze extension stands out as a crucial tool for quickly diagnosing the root cause of problems. This article will walk you through the intricacies of the !analyze extension, covering its functionalities, parameters, and usage in both user mode and kernel mode debugging.
!analyze Extension?The !analyze extension is a WinDbg command that provides automated analysis of the current exception or bug check (also known as a Blue Screen of Death or BSOD). It examines the available data, such as the call stack, registers, and memory, to provide insights into what might have caused the issue. Using !analyze can significantly reduce the time it takes to understand and resolve complex debugging scenarios.
This extension is especially helpful during crash dump analysis, as detailed in Analyzing a kernel-mode dump file with WinDbg.
The !analyze extension behaves differently depending on whether you're debugging in user mode or kernel mode:
!analyze focuses on exceptions that occur within a specific application. This is useful for debugging application crashes or hangs.!analyze analyzes bug checks, which are system-level errors that cause the operating system to halt. This is critical for diagnosing driver issues, hardware problems, and other system-level instabilities.!analyzeHere's a breakdown of the most commonly used parameters for !analyze:
-v[0..99]: This controls the verbosity level, allowing you to display more detailed information. -v (or -v1) provides a moderate level of detail, while -vv (or any number higher than the system allows such as -v99) displays all available information. Tip: Starting with -v6 in user mode shows global and thread-specific information.-f: Forces the !analyze extension to generate output, even if the debugger hasn't automatically detected an exception. This is useful when you suspect an issue but the debugger hasn't triggered.-hang: Specifically analyzes hung applications. In kernel mode, it investigates locks and the DPC queue chain. In user mode, it checks thread stacks for blocking issues. Important: Before using -hang in user mode, switch to the thread you suspect is hung.-show BugCheckCode [BugParameters]: Displays details about a specific bug check code. BugParameters are optional parameters that further refine the search.Let's say you encounter a BSOD with the bug check code 0x0000007E (SYSTEM_THREAD_EXCEPTION_NOT_HANDLED). You can use !analyze -show 0x0000007E to get a basic description of the error. To delve deeper, examine the Bug check code reference for detailed information about possible causes and troubleshooting steps.
If an application appears to be hung, attach WinDbg to the process and use !analyze -hang. The tool analyzes the thread stacks to identify potential deadlocks or blocking calls. This is especially handy if one thread is waiting on another, and WinDbg can pinpoint the source of the problem.
The !analyze extension can also output its findings in XML format, making it easier to parse and integrate into automated analysis tools:
-xml: Generates the analysis output in XML format to the debugger's output window or log.-xmi: Adds module information to the XML output. Requires -xml or -xmf.-xcs: Adds context and call stack frames to the XML output. Requires -xml or -xmf.-xmf OutputXmlFile: Writes the XML output to a specified file. Using this overwrites any existing file.The -c parameter allows you to continue execution if !analyze encounters a known issue. This is helpful in automated testing scenarios where you want the debugger to proceed despite specific, pre-identified problems.
-load KnownIssuesFile: Loads an XML file (KnownIssuesFile) containing a list of known issues.-unload: Unloads the current list of known issues.-help: Displays help information for the -c subparameters.For drivers using UMDF 2.15 or later, !analyze provides specific information about UMDF verifier failures and unhandled exceptions. This is especially useful for identifying the responsible driver in UMDF driver crashes. You can find additional information on the UMDF framework on the official Microsoft Documentation.
The !analyze extension is an indispensable tool for debugging Windows applications and drivers. By mastering its parameters and understanding its behavior in both user and kernel modes, you can efficiently diagnose and resolve a wide range of software issues, improving the stability and reliability of your code. Utilize the resources and links provided and start debugging like a pro! Remember to check out Using the !analyze extension for additional insights.
