Skip navigation

While starting your first kernel debugging session you might encounter the information message above. This is not actually the real problem, unfortunately, if you tried to follow what has been instructed in it you will “most likely” end up with the same results. I was able to tackle it in many ways but the most reliable way is to use a Windows SysInternals utility called “LiveKd” by Mark Russinovich. LiveKD v4.0 supports x64 platform and reading-only local kernel debugging sessions of a running system (this why it’s called LiveKD). Installation details can be found in SysInternals website.

Now, we can launch WinDbg using LiveKD –w and Viola! You’re inside the kernel!

To verify that we are debugging in the right mode “Kernel-Mode”, you can use !process
extension which can be used only in Kernel-Mode debugging. I believe you’ve already noticed the KD text in the command prompt. 0 means the number of the current processor “Yes, I have multiple processors!” and KD means the debugging session is in the Kernel-Mode.

Last but not the least, make sure that the debugger symbol path has been configured correctly and if you encountered any “Corrupted File” issues, you can delete the folder of that symbol from the store path and .reload “WinDbg command” or re-run LiveKD –w in the command prompt.

Enjoy x64 Live Kernel Debugg’n!

Additional Resources:

Debugging Tools and Symbols: Getting Started

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: