Defrag Tools: #25 - WinDbg - Events

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.

This installment goes over the commands used to diagnose an Event hang in a user mode application. We talk about single and multiple event hangs, automatic and manual events, waitable object handles and common design patterns that you will encounter. We use these commands:

• ~*k
• ~*kv
• ~
• ~~[TID]s
• dp <addr>
• !handle
• !handle <handle> <mask>
• .dumpdebug
• !uniqstack
• !findstack <text>

Make sure you watch Defrag Tools Episode #1 and Defrag Tools Episode #23 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbol and source code resolution.

Resources:
Synchronization Functions
Sysinternals WinObj

Timeline:
[00:00] - Event objects
[03:56] - Waitable objects and Design Patterns
[08:00] - Handles
[10:52] - x64/x86/ARM calling conventions and 32/64bit addressing
[14:10] - WaitForSingleObject with a single Auto-Reset Event
[14:55] - !handle
[16:02] - .dumpdebug -- MiniDumpWithHandleData
[16:36] - !handle <handle> <mask>
[19:48] - Sysinternals WinObj
[24:14] - WaitForMultipleObjects with multiple Thread Handles
[30:00] - Work and Quit Event Design Pattern
[33:45] - WaitForMultipleObjects with multiple Event Handles
[38:52] - Windows Explorer example
[44:50] - Process Explorer also shows Handles (Ctrl-H)