MS Windows Debuggers

WinDbg can be used to do user mode debug of applications running on the same machines as the debugger, but because it is common to stop instruction execution on the processor during debugging, especially for kernal mode code like device drivers, it is best to use two systems. One hosts the debug user interface and the other runs the code being debugged. They must be connected via a cable of some sort; prior to Win 8 USB or serial cables are necessary, but with Win 8 and above, the network can also be used. In some situations, it is possible that the second system is a virtual system, for example, a virtual PC that is running on the same PC; however, if you are working with code that closely accesses hardware, this is not a good idea.

WinDbg can also be used to open and analyse crash dump files.

• Win 10
  https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit (under "Get debuggin tools")
   
• Win 7, Vista, Server 2k8
  https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit (under "Other WDK downloads")
   
• XP,2K,NT: debugger is at
  http://www.microsoft.com/ddk/debugging/installx86.asp (wayback)
   
• ME: The Windows ME debugger is
  http://www.microsoft.com/ddk/debugging/download/WINMEDDK.EXE
   
• 95,98,NT: The Windows 2000 Platform SDK has a (very nice) GUI and remote (for kernels) debugger for Windows 9x & NT available free at http://www.microsoft.com/msdownload/platformsdk/windbg.htm (cache)
  The debugger tool provided on the Windows 98 DDK is the Windows System Debugger (Wdeb386.exe) (docs). It requires a remote computer connected via a cable to the target computer. Debug binaries and components are provided for Windows 98 in the \dbg_sym directory on the Windows 98 DDK distribution CD.
  • Note that if you are viewing a range of memory starting before a section that is committed and ending inside the section that is committed, all the memory will show as being undefined ("??" in place of values). For example, if you VirtualAlloc some memory with MEM_COMMIT and then point edi at the first byte of it and view edi-20 (so you can later see what was stosb'd to edi) the entire view will fill with "??" If "Reevaluate Expression Always" is enabled for the view, when edi advances enough that then entire view is defined, the ?'s will suddenly dissappear.

See also:

• https://msdn.microsoft.com/en-us/library/windows/hardware/mt219729(v=vs.85).aspx Getting started with WinDbg.
• http://www.sevenforums.com/crash-lockup-debug-how/310617-windbg-very-basics.html Working with crash dumps.