Downloads


Tools

CodeMachine Debugger Extension DLL

2013.12.07 | X86 and x64 | 1.2.7.0

Contains the !stack, !kvas, !ptelist, !packet commands.


Presentations

Developing Drivers with Visual Studio 2012 (.PDF File) Advanced Developers Conference 2013 Bad Aibling, Germany
x64 Deep Dive (.PDF File) Microsoft Global Escalation Conference 2010 Redmond, WA, USA
Supporting Support (.PDF File) Microsoft Global Escalation Conference 2009 Virtual
Writing Debugger Extensions (.PDF File) Microsoft Global Escalation Conference 2007 Las Colinas, TX, USA

Windows Driver Kit (WDK) Header File Downloads

Windows Version BugCheck Codes Native API Kernel Types Status Codes Hardware Drivers Kernel Drivers FileSystem Drivers
Windows 10 2004 (20H1) bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 10 1903 (19H1) bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 10 1809 (RS5) bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 10 1803 (RS4) bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 10 1709 (RS3) bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 10 1703 (RS2) bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 10 1607 (RS1) bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 10 1511 (TH2) bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 10 1507 (TH1) bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 8.1 bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 8 bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h
Windows 7 bugcodes.h winnt.h ntdef.h ntstatus.h wdm.h ntddk.h ntifs.h

Windows Kernel Debugging Setup Scripts

Collection of handy scripts for setting up debug and test systems.

Configure System Settings

Deletes Shadow Copies
Disables System Restore on the System Drive
Enables RDP to the system
Disables Shutdown Event Tracker (applies only to Windows Servers)
Disables Automatic Updates

wmic /namespace:\\root\default path SystemRestore call Disable %SystemDrive%
wmic shadowcopy delete
wmic rdtoggle where ServerName="%COMPUTERNAME%" CALL SetAllowTSConnections 1, 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Reliability" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Reliability" /v ShutdownReasonOn  /t REG_DWORD /d 0x0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 1 /f
    

Configure Dump Generation and Debug Prints

Configures the system to generate complete kernel memory dumps
Retains kernel mode memory dumps, unconditionally
Configures the system to generate a kernel or complete memory dump from a PS/2 keyboard
Configures the system to generate a kernel or complete memory dump from a USB keyboard
Configures the system to generate a user mode mini-dump with full memory information
Enables DbgPrint() output to appear in the kernel debugger
Disables paging of kernel and device driver code pages

wmic recoveros set DebugInfoType = 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v AlwaysKeepMemoryDump /t REG_DWORD /d 0x1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 0x1
reg add "HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters" /v CrashOnCtrlScroll /t REG_DWORD /d 0x1
reg add "HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters" /v CrashOnCtrlScroll /t REG_DWORD /d 0x1
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps"
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpType /t REG_DWORD /d 0x2 
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter" /v DEFAULT  /t REG_DWORD /d 0xffffffff
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v DisablePagingExecutive  /t REG_DWORD /d 1 /f
    

Configure Kernel Mode Debugging

Backs up the current boot entry into a new entry.
Turns on kernel debugging
Configures kernel debugging to use COM1 at 115200 baud

bcdedit /dbgsettings serial debugport:1 baudrate:115200
bcdedit /copy {current} /d "Windows [debugger disabled]"
bcdedit /debug {current} ON
    

Setup network share

Creates a new directory c:\Shared
Shares it using Windows Print and File Sharing and give everybody on the system full access to it

mkdir c:\Shared
net share Shared=c:\Shared /GRANT:Everyone,FULL
    

Setup New Account

Creates a new administrator user with username="tester" and password="tester"
Enables this account to automatically log into the system

net user tester tester /add
net localgroup administrators tester /add
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 0x1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d "tester" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "tester" /f
    

Configure User Preferences

Enables RDP access for current user
Configures Explorer to show hidden files, folders and drives
Configures Explorer to show extensions of known files types
Configures Explorer to show protected operating system files
Configures Explorer to display full path in the title bar
Configures Explorer to prevent windows from being automatically arranged when moved to the edge of the screen

wmic rdpermissions where TerminalName="RDP-Tcp" CALL AddAccount "%USERNAME%",1 
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v SuperHidden /t REG_DWORD /d 0x1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0x1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0x0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState" /v FullPath /t REG_DWORD /d 0x1 /f
reg add "HKCU\Control Panel\Desktop" /v WindowArrangementActive /t REG_SZ /d "0" /f
    

Setup and configure a Hyper-V VM for Kernel Debugging using PowerShell

Before creating the VM, the following changes are made to Hyper-V on the host.

# Please customize the switch name if necessary
$switch = "Internal_Switch"

# Enable Hyper-V Host and Hyper-V PowerShell Components
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

# Disable RDP on the Hyper-V Host
Set-VMhost -EnableEnhancedSessionMode $False

# Setup a new Hyper-V Internal Switch (if you don't have one configured already)
New-VMSwitch –SwitchName $switch –SwitchType Internal
    

The VM will be setup as per the following specifications.

# Please customize the following variables as per your needs
$vmname = "WIN10VM"
$vdhpath = "c:\vm\WIN10VM.vhdx"
$isopath = "c:\vm\en_windows_10_business_editions_version_1903_x64_dvd_37200948.iso"
$pipe = "\\.\pipe\" + $vmname
$switch = "Internal_Switch" # Name of an existing internal switch

# Create a new VM (without a disk)
New-VM -Name $vmname -MemoryStartupBytes 2GB -NoVHD -Generation 2 -SwitchName $switch

# Turn off automatic checkpoints (Uncheck "use automatic checkpoints")
Set-VM -VMName $vmname -AutomaticCheckpointsEnabled $False 

#Set the VM to only use the memory allocated at startup (Uncheck "Enable Dynamic Memory")
Set-VM -VMName $vmname -StaticMemory

# Configure the VM for multiple CPUs (Number of virtual processors: 2)
Set-VMProcessor  -VMName $vmname  -Count 2

# Turn off secure boot for kernel debugging (Uncheck "Enable Secure Boot")
Set-VMFirmware -VMName $vmname -EnableSecureBoot Off

# Create a new VHD (VHDX Format, 30GB Size, Dynamically Expanding)
New-VHD -Dynamic -SizeBytes 30GB -Path $vdhpath 

# Add the newly created VHDX to the VM
Add-VMHardDiskDrive -VMName $vmname -Path $vdhpath

# Add a Windows Bootable .ISO file as a DVD Drive to the VM
Add-VMDvdDrive -VMName $vmname  -Path  $isopath

# Get the DVD drive object
$dvddrive = Get-VMDvDDrive -VMName $vmname

# Set the DVD drive as the first bootable device
Set-VMFirmware -VMName $vmname -BootOrder $dvddrive 

# Add Serial Port COM1 to the VM for Kernel Debugging
Set-VMComPort -VMName $vmname -Number 1 -Path $pipe