Early Debugging

Early debugging is a wide topic, on a Windows PC it might be:

Application Startup

As we have demonstrated in the user mode debug event loop, when an application was launched from a debugger, the first debug event is CREATE_PROCESS_DEBUG_EVENT. Process creation event is the earliest point a user mode debugger could even reach to.

Windows debuggers by default would break at ntdll!LdrpDoDebuggerBreak, but we can alter this behavior:

cdb.exe -xe cpr -xe ld notepad.exe

 CommandLine: notepad.exe

ModLoad: 01000000 01014000   notepad.exe

0:000> lm
start    end        module name
01000000 01014000   notepad    (deferred)

0:000>  !teb
TEB at 7ffdf000
error InitTypeRead( TEB )... 

As you can see, debugger extension complains since we are too early. However there are always workarounds as we discussed in Undocumented WinDBG:

 0:000>  .imgscan; * Where is Mark Zbikowski?
MZ at 01000000, prot 00000002, type 01000000 - size 14000
  Name: notepad.exe
MZ at 7c900000, prot 00000002, type 01000000 - size b2000
  Name: ntdll.dll

0:000>  .reload /s /f ntdll.dll=7c900000

0:000> lm
start    end        module name
01000000 01014000   notepad    (deferred)
7c900000 7c9b2000   ntdll      (pdb symbols)

0:000>  !teb
TEB at 7ffdf000
    ExceptionList:        ffffffff
    StackBase:            00080000
    StackLimit:           0006f000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7ffdf000
    EnvironmentPointer:   00000000
    ClientId:             000007d4 . 000005b4
    RpcHandle:            00000000
    Tls Storage:          00000000
    PEB Address:          7ffd8000
    LastErrorValue:       0
    LastStatusValue:      0
    Count Owned Locks:    0
    HardErrorMode:        0

If the application is launched by another process, IFEO might help, but always keep in mind there can be side effects.

Service Startup

Most of the knowledge about application debugging applies to services, since they are both user mode processes. The only difference is that service can share a single hosting process (e.g. svchost.exe), and would normally start in a different session.

An excellent article about service debugging can be found at:

Windows Setup, OS Loader, CSRSS and WinLogon

The document shipped with Debugging Tools for Windows has some brief introduction.

MSDN also described these debugging tasks in Specialized Debugging Techniques.


Most of these are real mode code (although MBR might switch CPU to protected mode) dealing with the low level hardware. Not many people are still working on the old memory models (e.g. TINY, SMALL, COMPACT, MEDIUM, LARGE and HUGE) and the A20 line (do you remember Tim Paterson and his debug program?).

MBR is relatively small, and can be simply debugged using a software emulator.

I have never worked on POST, but I think people would use software emulators in combination with ICE (In-circuit emulator).

WinDBG has limited support for real mode debugging.

(to be continued...)