How do I switch to 32bit mode when I use windbg to debug a dump of a 32bit application running on an x64 machine?

Hello, I am Jialiang Ge from MSDN forum support team. In this post, I'd like to introduce how to switch to 32bit mode when you use windbg to debug a dump of a 32bit application running on an x64 machine. If you use (32bit version or 64bit version of) windbg to open a dump of a 32bit application running on an x64 operating system, you get 64bit look of the 32bit application by default. For example,

0:001> k
Child-SP RetAddr Call Site
00000000`027eebc8 00000000`7529ab46 wow64cpu!WaitForMultipleObjects32+0x3a
00000000`027eec70 00000000`7529a14c wow64!RunCpuSimulation+0xa
00000000`027eeca0 00000000`777305a8 wow64!Wow64LdrpInitialize+0x4b4
00000000`027ef200 00000000`776e68de ntdll!_LdrpInitialize+0x49db8
00000000`027ef2b0 00000000`00000000 ntdll!LdrInitializeThunk+0xe

0:001> r
rax=000000000af7e3b8 rbx=00000000778ecb94 rcx=00000000004b6a18
rdx=0000000000000018 rsi=00000000004b6a18 rdi=0000000000000000
rip=000000007577374f rsp=00000000027eebc8 rbp=0000000002a9fee0
r8=000000000000002b r9=00000000778c99fd r10=0000000000000000
r11=0000000000000212 r12=000000007efd8000 r13=00000000027efd20
r14=00000000027eec00 r15=0000000075773380
iopl=0 nv up ei pl nz ac pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
00000000`7577374f 418bbda0000000 mov edi,dword ptr [r13+0A0h] ds:00000000`027efdc0=00000000

The wow64 stuff in the call stack and the x64 registers do not tell us much.

To get the meaningful 32bit look of the application, you need to switch the processor mode that the debugger uses to 32bit by entering either .effmach x86 or !wow64exts.sw in windbg. The two commands are basically same. You should see output like the following:

0:001> !wow64exts.sw
Switched to 32bit mode

0:001:x86> k
ChildEBP RetAddr
02a9fd4c 7794787d ntdll_77880000!NtWaitForMultipleObjects+0x15
02a9fee0 7730eccb ntdll_77880000!TppWaiterpThread+0x328
02a9feec 778fd24d kernel32!BaseThreadInitThunk+0xe
02a9ff2c 778fd45f ntdll_77880000!__RtlUserThreadStart+0x23
02a9ff44 00000000 ntdll_77880000!_RtlUserThreadStart+0x1b

0:001:x86> r
eax=00000000 ebx=778ecb94 ecx=00000000 edx=00000000 esi=004b6a18 edi=00000000
eip=778c99fd esp=02a9fd50 ebp=02a9fee0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
778c99fd c21400 ret 14h

The call stack looks very different now. Particularly you do not see any wow64 and wow64cpu modules in the stack.

Note: The above solution works for the kernel mode dump of an x64 system too when you try to see the thread call stacks of a running 32bit process.

You can find more readings about this topic at:

Debugging WOW64

How to use Windbg to debug a dump of a 32bit .NET app running on a x64 machine

A look at the WoW64 layer in the debugger