Wednesday, June 26, 2013

Kernel debugging with a Hyper-V virtual machine

Inline image 2

One of the best ways of investigating the way Windows works is through a kernel debugger. Windows supports a local kernel debugging mode that can be activated in one of two ways:

1. Setup windows to run in local debugging mode by running bcdedit /debug on from an elevated command prompt and then restart. Finally, run WinDbg and select File / Kernel Debug… from the menu and then select the Local tab and click OK:

The main downside here is the need for restart, and more subtly – some apps behave strangely when the debug flag is on.

2. Use the LiveKD tool from SysInternals. This doesn't require the debug flag – just copy Livekd.exe to the folder where WinDbg is and run Livekd –w from an elevated command prompt.

The problem with both approaches is the fact that breakpoints cannot be set – the system is running. For breakpoints, another system is required. Using a second physical computer is usually inconvenient, if at all possible. Fortunately, a Hyper-V VM can be set up as a target system for kernel debugging with some simple configuration without having to run various scripts. Here's how to do it:

Read more: Pavel's Blog
QR: Inline image 1