DCSIMG
Local Kernel Debugging and LiveKd Update - Pavel's Blog
Sign in | Join | Help

Pavel's Blog

Pavel is a software guy that is interested in almost everything
software related... way too much for too little time

Local Kernel Debugging and LiveKd Update

Published at Oct 27 2009, 10:13 AM by pavely | 7 comment(s)

Local kernel debugging is the ability to view kernel data structures in a live system (i.e. not connecting to a target system through a null cable modem or USB or other alternatives), and is supported since Windows XP. This is a great way to explore windows on its darker side (the kernel and related subsystems) with all its mysteries and secrets.

With Windows XP, starting local kernel debugging is pretty easy. Just fire up WinDbg (or kd for that matter), select from the menu File->Kernel Debug, navigate to the “Local” tab, click OK and start exploring.

In Windows Vista and up, trying to do the same thing produces the following message box:

“---------------------------
WinDbg:6.11.0001.404 AMD64
---------------------------
The system does not support local kernel debugging.

Local kernel debugging requires Windows XP, Administrative
privileges, and is not supported by WOW64.
Only a single local kernel debugging session can run at a time.
Local kernel debugging is disabled by default in Windows Vista, you must run 'bcdedit -debug on' and reboot to enable it.”

The bold section is the important part. On Vista and up (not just Vista, as may be suggested by the error message), this is disabled by default, and requires change in the Boot Configuration Database (BCD) and reboot. Doesn’t seem to difficult to do; however, setting this option disables the ability to do user mode debugging (e.g. with Visual Studio)… not nice.

The life saver here is Mark Russinovich from the famous SysInternals site and tools (now part of Microsoft). He wrote the livekd tool, that simulates a “blue screen” and creates a dump file, then opens it with your favourite kernel debugger (WinDbg or kd). For example, issuing Livekd –w (assuming WinDbg is in the default search path, or livekd is copied to the Debugging Tools For Windows folder and you’re running with admin privileges), this launches WinDbg and allows local kernel debugging.

Livekd was not working properly on newer systems (x64) but finally a new version was released, fixing that issue, allowing local kernel debugging on x64 systems on Vista and up.

תגים:, ,

Comments List

# re: Local Kernel Debugging and LiveKd Update

Published at Tuesday, October 27, 2009 6:35 PM by Sasha Goldshtein  

Only managed debugging in Visual Studio is not supported when booting with /DEBUG. Native debugging works seamlessly (from my experience).

# re: Local Kernel Debugging and LiveKd Update

Published at Tuesday, October 27, 2009 10:57 PM by pavely  

You're right... I guess I'm working in C# too much these days that I neglected native work...

# Local Kernel Debugging and LiveKd Update « Jasper Blog

Published at Wednesday, October 28, 2009 11:00 AM by Local Kernel Debugging and LiveKd Update « Jasper Blog  

Pingback from  Local Kernel Debugging and LiveKd Update « Jasper Blog

# re: Local Kernel Debugging and LiveKd Update

Published at Tuesday, November 10, 2009 12:38 AM by bruce  

How to change in the Boot Configuration Database (BCD) and reboot.

# re: Local Kernel Debugging and LiveKd Update

Published at Tuesday, November 10, 2009 11:06 AM by pavely  

type in an elevated command prompt:

bcdedit -debug on

and reboot.

# re: Local Kernel Debugging and LiveKd Update

Published at Tuesday, November 10, 2009 11:07 AM by pavely  

BTW, VS 2010 Beta 2 allows managed debugging even with kernel local debugging turned on.

# “The system does not support local kernel debugging” | Warren Tang's Blog

Published at Thursday, January 27, 2011 8:21 AM by “The system does not support local kernel debugging” | Warren Tang's Blog  

Pingback from  “The system does not support local kernel debugging” | Warren Tang's Blog

Leave a Comment

(required) 
(
required
) 
(optional)
(required) 

Enter the numbers above: