Monday, March 15, 2010

How do I switch to 32bit mode when I use windbg to debug a dump of a 32bit application running on an x64 machine?

If you use (32bit version or 64bit version of) windbg to open a dump of a 32bit application running on an x64 operating system, you get 64bit look of the 32bit application by default. For example,

0:001> k
Child-SP RetAddr Call Site
00000000`027eebc8 00000000`7529ab46 wow64cpu!WaitForMultipleObjects32+0x3a
00000000`027eec70 00000000`7529a14c wow64!RunCpuSimulation+0xa
00000000`027eeca0 00000000`777305a8 wow64!Wow64LdrpInitialize+0x4b4
00000000`027ef200 00000000`776e68de ntdll!_LdrpInitialize+0x49db8
00000000`027ef2b0 00000000`00000000 ntdll!LdrInitializeThunk+0xe

0:001> r
rax=000000000af7e3b8 rbx=00000000778ecb94 rcx=00000000004b6a18
rdx=0000000000000018 rsi=00000000004b6a18 rdi=0000000000000000
rip=000000007577374f rsp=00000000027eebc8 rbp=0000000002a9fee0
r8=000000000000002b r9=00000000778c99fd r10=0000000000000000
r11=0000000000000212 r12=000000007efd8000 r13=00000000027efd20
r14=00000000027eec00 r15=0000000075773380
iopl=0 nv up ei pl nz ac pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
wow64cpu!WaitForMultipleObjects32+0x3a:
00000000`7577374f 418bbda0000000 mov edi,dword ptr [r13+0A0h] ds:00000000`027efdc0=00000000

The wow64 stuff in the call stack and the x64 registers do not tell us much.

To get the meaningful 32bit look of the application, you need to switch the processor mode that the debugger uses to 32bit by entering either .effmach x86 or !wow64exts.sw in windbg. The two commands are basically same. You should see output like the following:

0:001> !wow64exts.sw
Switched to 32bit mode

Read more: MSDN Forum Support Team

Posted via email from jasper22's posterous