Home Debugging Stuck in the Apps Debug mode for a Kernal Crash dump?

Stuck in the Apps Debug mode for a Kernal Crash dump?

by dnaadmin

 

!wow64exts.sw Switches between x86 and native mode.

I’d like to introduce you to how to switch to a kernal mode from a apps mode.

This is how a apps mode prompt looks like:

0:001> 

The wow64 stuff in the call stack and the x64 registers do not tell us much.

To get the meaningful 32bit look of the application, you need to switch the processor mode that the debugger uses to 32bit by entering either .effmach x86 or !wow64exts.sw in windbg. The two commands are basically same. You should see output like the following:

0:001> !wow64exts.sw
Switched to 32bit mode

0:001:x86>

The call stack looks very different now. Particularly you do not see any wow64 and wow64cpu modules in the stack.

 

Note: The above solution works for the kernel mode dump of an x64 system too when you try to see the thread call stacks of a running 32bit process.

You can find more info @https://msdn.microsoft.com/en-us/library/windows/desktop/aa384163(v=vs.85).aspx

0

You may also like

Leave a Comment