Wednesday, December 12, 2012

Windows 8 Kernel Debugging

Starting with Windows Vista, Microsoft changed the Windows Boot Manager, thereby changing the way we debug the Windows Kernel. Now, there is a new tool called bcdedit.exe which can be used to modify the boot configuration of a Windows installation.
The goal is to set up kernel debugging via virtual serial port, on a Windows 8 guest VM running on a Windows 8 host via the built in Hyper-V that comes with Windows 8. The pipe name will be “debug” in this example. The first step is to enable the COM port of the guest VM in the VM’s settings:

Next, enable kernel debugging on the guest VM by running the following commands from an elevated command prompt on the guest:
bcdedit /debug on
bcdedit /dbgsettings serial debugport:1 baudrate:115200
The next step is to prepare the host for debugging the guest VM. The host had the Windows 8 SDK, WDK, Visual Studio 2012, and the Visual Studio 2012 coinstaller installed, in that order. There are 2 ways to debug kernels in guest VMs from a Windows 8 host. The first is to use Visual Studio 2012 (new method), and the second is to Windbg (old method). Visual Studio 2012 now has integrated kernel debugging support using the same debugging engine as Windbg. Once the host machine has everything installed, the steps to debug using Visual Studio 2012, are as follows:
  1. Run Visual Studio 2012 as Administrator
  2. Under the Tools->Attach to Process window, select "Windows Kernel Mode Debugger" for Transport.
  3. Click "Find" next to "Qualifier"
  4. In the "Configure Computers" window use the following settings:
To use the old Windbg method:
  1. Run Windbg as Admin on the host
  2. Hit ctrl+k to connect to the serial port exposed by the VM
  3. Use the following settings
 Further Reading:


  1. bcdedit is not a new tool. It helps you edit boot configuration data in Windows since at least Vista.

  2. Hi. Thanks for the feedback and thanks for reading. Yea, I mentioned that in the first sentence.

  3. This comment has been removed by a blog administrator.

  4. This comment has been removed by a blog administrator.