none
How to replace NT kernel debug version for Windows 2012 r2 RRS feed

  • Question

  • Hi,

    I am looking for a way to change windows 2012 r2 OS in debug version, this would help me to debug and get detailed logs of kernel BSOD's obtained by my_boot_start_drivers. 

    please let me know how to change a free build kernel into checked build kernel 

    Thanks in advance

    Sravan

    Tuesday, June 9, 2015 12:18 PM

All replies

  • you need to copy the chk kernel and hal from the wdk and update the bcd entry to point to them. With that said, if your server is up to date on patches, this probably won't work as there are other system components that rely on the up to date kernel, but your chk replacement is the RTM (old) version. you are better off turning on driver verifier and various ETW logs to debug your problem, both are available on a fre build.

    see https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/215127d4-f97d-4a3c-be30-424f086a61ce/windbg-replacing-boot-start-drivers-and-nt-kernel-debug-version-for-windows-2012-r2?forum=wdk for a discussion


    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, June 9, 2015 8:27 PM
  • first of all very thanks for showing interest!

    I have tried copying chk kernel, hal from wdk 8.1 and created bcd entries i.e

    1. bcdedit /set {<object>} kernel ntkrnlmp.exe

    2. bcdedit /set {<object>} hal hal.dll

    As result the kernel is not at all getting loaded please find the debugger log details in the below:

    ---------------------------------------------------------------------------------------------------------------

    BD: Boot Debugger Initialized
    Connected to Windows Boot Debugger 9600 x64 target at (Tue Jun  9 03:09:36.734 2015 (UTC - 7:00)), ptr64 TRUE
    Kernel Debugger connection established.

    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    OK                                             D:\Symbols
    Symbol search path is: D:\Symbols
    Executable search path is: 
    Windows Boot Debugger Kernel Version 9600 UP Free x64
    Machine Name:
    Primary image base = 0x00000000`008eb000 Loaded module list = 0x00000000`00aa42d0
    System Uptime: not available
    winload!DebugService2+0x5:
    00000000`00a1b4f5 cc              int     3
    kd> .reload /f
    Connected to Windows Boot Debugger 9600 x64 target at (Tue Jun  9 03:09:50.890 2015 (UTC - 7:00)), ptr64 TRUE
    Loading Kernel Symbols

    Loading User Symbols
    kd> lm
    start             end                 module name
    00000000`008eb000 00000000`00ac0000   winload    (pdb symbols)          d:\symbols\winload_prod.pdb\E5D38A068D3C452CB428119589C0B12E1\winload_prod.pdb
    kd> g
    *** Windows is unable to verify the signature of
        the file \Windows\system32\ntkrnlmp.exe.  It will be allowed to load
        because the boot debugger is enabled.
    Shutdown occurred at (Tue Jun  9 03:10:30.093 2015 (UTC - 7:00))...unloading all symbol tables.
    Waiting to reconnect...

    -----------------------------------------------------------------------------------------------------------------------------

    It looks like turning off driver verifer would let me enter into the kernel.

    could you please suggest the steps to turnoff driver verifier . it would be very helpful. 

    and ntkrnlmp.exe is not a driver file would turnoff driver verifier help ignore to check signature verification? 




    • Edited by sravan.u90 Wednesday, June 10, 2015 12:29 PM
    Wednesday, June 10, 2015 5:35 AM
  • driver verifier has nothing to do with sig veification.  you should turn on test signing as well.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, June 10, 2015 4:34 PM
  • Hi Doron,

    bcdedit -set testsigning on doesn't work for me , i have already checked with test-signing procedures.

    Thursday, June 11, 2015 5:52 AM