Search code examples
windowskernelwindbgwdkdebugview

How to view debugview's output in windows 7 and later without having to restart the computer?

The method i know to be able to capture kernel debug data in windows 7+, is to add Debug Print Filter registry key in the registry, but this requires a reboot.

Is there any method that enables me to capture kernel debug messages without having to reboot the computer in windows 7, 10,..?

Solution

  • C:>echo no registry key

    no registrykey

    C:>reg query "hklm\system\currentControlSet\Control\Session manager\Debug"

    ERROR: The system was unable to find the specified registry key or value.

    C:>reg query "hklm\system\currentControlSet\Control\Session manager" | grep -i De

        HeapDeCommitFreeBlockThreshold    REG_DWORD    0x0
    HeapDeCommitTotalFreeThreshold    REG_DWORD    0x0
    ExcludeFromKnownDlls    REG_MULTI_SZ
    ProtectionMode    REG_DWORD    0x1
HKEY_LOCAL_MACHINE\system\currentControlSet\Control\Session manager\DOS Devices

    C:>echo no bcdedit/debug on

    no bcdedit/debug on

    C:>powershell -c "bcdedit /enum | select-string 'debug' "

    debug                   No

    C:>echo running dbgview to capture kernel debug prints

    running dbgview to capture kernel debug prints

    C:>dbgview /v /l dbgviewnoregkeynodebugon.txt

    C:>echo starting livekd so that it makes a few kdprints

    starting livekd so that it makes a few kdprints

C:\>livekd

LiveKd v5.62 - Execute kd/windbg on a live system

For analysis of this file, run !analyze -v
kd> q
quit:

Execute Kd again? (y/n) n

Exiting LiveKd.

    C:>echo running a OutputDebugString

    running a OutputDebugString

C:\>type odbgstr.ps1
methdef = @'
[DllImport("kernel32")]
public extern static void OutputDebugString(string lpout);
'@
$k32 = Add-Type -MemberDefinition $methdef -Name "kout" -PassThru -Namespace Win32
$k32::OutputDebugString("Notoriously Difficult Debug prints")

C:\>powershell -f odbgstr.ps1

    C:>echo printing the log

    printing the log

C:\>cat dbgviewnoregkeynodebugon.txt
[\\xxxxx]
00000001        1:11:00.860 AM  [87A7BED8] WskProIRPGetAddrInfo is called.
00000002        1:11:00.860 AM  [bind=874FA5D0] Binding reference count++ = 2 (status = 00000000, impersonation= 2).
00000003        1:11:00.860 AM  [8745F8E8] Request reference count++ = 3.
00000004        1:11:00.860 AM  [8745F8E8] RPC method type = 1: rpc-method succeeded, queue to rpc-pending-list.
00000005        1:11:00.860 AM  [8745F8E8] Request reference count-- = 2.
00000006        1:11:03.487 AM  [8745F8E8] WskKnrRpcComplete: rpc calls back for completion.
00000007        1:11:03.487 AM  [8745F8E8] WskKnrCompletePending: complete pending request (rpc=1).
00000008        1:11:03.487 AM  [8745F8E8] Request reference count-- = 1.
00000009        1:11:03.487 AM  [8745F8E8] Request reference count-- = 0.
00000010        1:11:03.487 AM  [8745F8E8] WskKnrCompleteRequest: rpc completion return status = 00000000 (reply=c0000272).
00000011        1:11:03.487 AM  [8745F8E8] WskProAPIGetAddressInfo returned addrinfo: [addr=00000000].
00000012        1:11:03.487 AM  [bind=874FA5D0] Binding reference count-- = 1.
00000013        1:11:03.487 AM  [8745F8E8] WskKnrCompleteRequest: complete irp with IO status = c0000272.

00000014        1:12:29.977 AM  [4908] Notoriously Difficult Debug prints