How to Access the User Mode Debugger from the Kernel Debugger

In certain cases you may want to use a user mode debugger to debug a process from within the kernel debugger. It could be that you have an application that loads a kernel mode driver, and you want to be able to debug the user mode aspect of the application and then break into the kernel to follow the calls made to kernel.

Here is how you do it!

· Attach the kernel debugger via a serial cable (Null modem cable), USB cable or FireWire cable, and have your machine configured to be kernel debugged. The article located at http://support.microsoft.com/kb/151981  is a good reference for pre-Vista systems. To enable the debug options on Vista or Windows 2008 you must use bcdedit.exe because those OSes no longer use a boot.ini file. Here’s an example:

 

bcdedit /debug {<guid>} <ON | OFF>
bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200

 

· Add a new debugger key to the “Image File Execution Options” for your process. In this case we will use notepad.exe as the target process. The new key will look like this:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe

 

· Add a string value under this key called “debugger” that contains the value “ntsd –d”. Here’s a screen shot of the registry changes for reference.

 

· The –d option redirects the output of NTSD to the kernel debugger allowing remote control via the kernel debugger.

 

· With the existence of this new key, the user mode debugger will automatically start and attach to your process when Notepad.exe starts. Note: It’s important to remove the registry entry when you’re finished debugging.

 

· You can now issue any standard NTSD Command via the kernel debugger.

 

· When you are ready to break into the kernel and run under the kernel debugger simply type .breakin

 

 

Jeff-