While debugging a crash dump, sometimes it is required to access windows command shell, start an application or do a command line calculation. Lately I was doing a debug and required to do some scientific calculations. ?? was not much help as the complexity of calculations was high. I kept accessing new applications from my shortcuts, but always wondered it were so easy if I had command shell integrated in here.

With a little research I could make it that there is one quick WinDbg command to run any shell command and get its output redirected to the WinDbg.

kd> .shell

This WinDbg command actually launches a cmd.exe process which then run the command, redirects output to WinDbg command window and waits for any user input.

0: kd> .shell date /T
30-07-2009                                             <<Output from command line
.shell: Process exited
Press ENTER to continue
<.shell waiting 1 second(s) for process>
<.shell process may need input>

0: kd> .shell tlist
   0 System Process 
   4 System         
272 smss.exe       
376 csrss.exe      
460 wininit.exe    
468 csrss.exe        
508 services.exe   
524 lsass.exe      
532 lsm.exe        
616 winlogon.exe   
696 svchost.exe    
760 ibmpmsvc.exe   
812 svchost.exe    
876 MsMpEng.exe    
980 atiesrxx.exe   
1012 svchost.exe    
[…]

If you run cmd.exe from inside the WinDbg using .shell, your WinDbg command window turns into a windows command shell. Any command you run, will fetch you output by running that command in windows command shell to WinDbg command window. You can even kill processes! Yes, you have the privilege…

0: kd> .shell cmd.exe
<.shell waiting 1 second(s) for process>
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:Debuggers><.shell waiting 1 second(s) for process>
<.shell process may need input>tlist There is double echo of each command
tlist one is from WinDbg command window,
tlist other from Windows command shell.

[…]

6784 cmd.exe           C:Windowssystem32cmd.exe – tlist
6620 conhost.exe       CicMarshalWnd
7832 cmd.exe <<Let’s Kill this
8056 tlist.exe
      

If you have noticed, command prompt has changed from WinDbg prompt to Command shell prompt.

C:Debuggers><.shell waiting 1 second(s) for process>
<.shell process may need input>kill /f 7832                      <<Kill this
kill /f 7832
kill /f 7832
process cmd.exe (7832) –  killed
.shell: Process exited

If I run .shell without a command, it switches to shell command mode (as if .shell cmd.exe)and all further commands are interpreted as shell commands. exit or .shell_quit can be used to end it and get back to WinDbg command prompt.

0: kd> .shell
Microsoft Windows [Version 6.1.7100]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:Debuggers><.shell waiting 1 second(s) for process>
<.shell process may need input>date /T
date /T
date /T
Thu 07/30/2009

C:Debuggers><.shell waiting 1 second(s) for process>
<.shell process may need input>hostname
hostname
hostname
<.shell waiting 1 second(s) for process>
LAPTOP

C:Debuggers><.shell waiting 1 second(s) for process>
<.shell process may need input>exit
exit
exit
.shell: Process exited
Press ENTER to continue
<.shell waiting 1 second(s) for process>
<.shell process may need input>

If for some reason shell is stuck, you can use .shell_quit to abandon it. But then you will have to manually close any popped out windows.

.shell has –ci option to run commands and redirect output to any shell command. I don’t know how it works but the debugger commands following –ci option must be separated by semicolon (;) and enclosed in quotation marks. The following did not work for me.

.shell -ci ".logopen c:tempdump.log"; "!vm 1"; ".logclose"; notepad.exe c:tempdump.log

If you run an application like calc or notepad, you may need to close the command window waiting for the application to exit. This won’t terminate the application you started.

clip_image001<< Shell prompt

There is -x command line option that detaches the spawned process, such that it continues to execute independently and there is no command shell to wait for any user input or process termination.

.shell –x calc

clip_image002<< Back to debug prompt

This even works on a remote session and you use the host machine’s command shell to execute your commands. Does this ring any bells?

Yes! You can run any command on the remote host.

LANKAachinbha (tcp 172.20.143.38:58886) connected at Thu Jul 30 15:53:52 2009
1: kd> .shell hostname
<.shell waiting 1 second(s) for process>
PC-BOX Remote computer name
.shell: Process exited

GUI applications like Notepad or Calc will be launched on remote machine, thus you have no benefit. When the remote session of debugger was running at a privileged level, I was able to shutdown remote machine immediately without any user prompt

1: kd> .shell shutdown /p /f /d p:4:1

Be careful, when you give access to your remote session to anyone. However you can disable access to shell with .noshell. Once this command is run, it will not allow .shell in any new debug session. You would need to terminate all debugger instances and restart.

1: kd> .noshell
Shell commands disabled

1: kd> .shell date /T
.shell has been disabled

You can find most of the details above in WinDbg help reference.

 

Technorati Tags: ,,,

Advertisements