A Cool WinDBG/SOS Hidden Feature

Every once in a while you run across an undocumented trick that totally and completely makes your day. A great example of that is the ability to debug MSBuild scripts in Visual Studio. Today I ran across another amazingly useful feature in WinDBG and SOS for .NET 4.0 that will save you countless hours of typing when analyzing minidumps. If you thought using .cmdtree to click your way to SOS happiness was amazing, you’re going to love this one.

The next time you start a WinDBG debugging session with SOS 4.0, issue the following undocumented command before you run any SOS commands:

.prefer_dml 1

If you’ve been using WinDBG for a while, you might have heard of DML (Debugger Mark Up Language). It’s a feature of WinDBG where you can get hyperlinks in specific command output, such as LM (Loaded Modules) where you can click on a module to get more information about that module. To see DML in action, execute the lm /D command and you’ll see the hyperlinks in the Command window like the following:

Clicking on one of the links will execute the lmDvm<module> command which not only shows the version, but allows you to dump all the native symbols using the X command.

So what does DML have to do with SOS? It turns out everything! Once you’ve issued the .prefer_dml 1 command some serious magic happens. For example, here’s the output of the !dso (Dump Stack Objects) command:

You’ve never seen !dso look so sexy, have you? If you click on one of those object addresses, that will issue the !dumpobj /d <address> command for that address:

With SOS 4.0 Microsoft has implemented DML in most of the commands! If you want the clickable output on an SOS command, add the /d command line option. Here’s an example with !threads /d:

Even the most useful command, !dumpheap, supports the /d option:

Get in the habit of adding /d to SOS 4.0 commands so you can debug faster by clicking your way to happiness. As I mentioned, not all commands support /d, but most do. Note that I’m using the latest WinDBG,, from the Windows SDK. I haven’t checked if the SOS DML works in previous versions of the debugger but suspect it will.

A huge part of the joy of our business is discovering new features even if they haven’t been fully supported that make your life easier. It’s like the developers were anticipating your needs and thinking about what would make your life better. The SOS 4.0 developers deserve a ton of credit for bringing a huge smile to my face and everyone who needs to debug those tough to solve problems!

Protect Your Business With Industry Best Practices

SolarWinds® Log & Event Manager (LEM) is a groundbreaking virtual appliance that combines real-time log analysis and event correlation to deliver the visibility, security and control you need to overcome everyday IT challenges. Atmosera will install, configure and manage the tool, plus provide regular security reviews of your environment.

Log collection, analysis and real-time correlation

SolarWinds LEM provides easy, powerful and automated log & event management intelligence from anywhere data is generated for IT operations, security and compliance.

  • Collects and catalogs log & event data in real-time, from anywhere data is generated within your IT infrastructure
  • Executes the automated responses you need to quickly and automatically take action against threats
  • Advanced IT Search employs highly effective data visualization tools — word clouds, tree maps, and more
  • Quickly generates compliance reports for PCI DSS , GLBA, SOX, NERC CIP, HIPAA, etc.

Personalization puts you in control

Atmosera can work with you to create custom dashboards, widgets, searches, rules and groups.

  • Atmosera’s Passive Option for Log & Event Management provides a web- access portal for self-service
  • The Active Option adds proactive notification and escalation by the Atmosera Command Center

Real-time, in-memory, event log correlation

Atmosera’s LEM service allows you to effectively troubleshoot performance problems by understanding the relationship between dramatically different activities, such as the number of user logon failures and denied traffic counts.

  • Provides immediate insight into anomalies in your environment and can take automated actions to thwart attacks in real time and understand how they occurred
  • Perform multiple event correlation, including the unique ability to set independent thresholds for activity per event, or group of events

Cutting-edge IT search for event forensic analysis

Advanced IT search functionality enables you to perform forensic analysis on events and achieve more effective log monitoring. In addition to search, LEM provides multiple data visualization technologies including word clouds, tree maps, bubble charts and histograms.

  • Search a range of data, from high-level events and key terms to detailed log data
  • Quickly perform forensic analysis on events to determine what really happened before, during and after the event

Security and compliance reporting templates

Gain the visibility and protection you need for security and compliance, plus protection of your client data and privacy. We offer more than 300 “audit-proven” templates for regulatory compliance including PCI DSS, GLBA, SOX, NERC CIP, HIPAA and many more — or have Atmosera create a custom template for your operations. Easily bring your audit logs into the LEM’s log management process for data protection

Log data compression and retention

LEM uses a high performance, high compression data model for log storage, storing data at up to a 60:1 ratio. That means you can store the massive amounts of log data required for regulatory compliance while reducing your storage footprint. You gain the ability to search, monitor, report and analyze this historical data for compliance reporting and auditing

We deliver solutions that accelerate the value of Azure.

Ready to experience the full power of Microsoft Azure?

Start Today

Blog Home

Stay Connected

Upcoming Events

All Events