Windows Kernel Debugging

Windows Kernel Debugging using VMware Workstation 12+Windows 7 for the target system and Windows 8.1 for the host machine.

>> Setup a virtual machine with Windows 7. After Windows installation shut it down.

>> Enable virtual printers in VMware Workstation. Goto Edit->Preferences->Devices->Enable virtual printers.

>> Download WDK 10 from here and install it on the host machine.

>> Setup Debug symbols on the host machine – instructions here.

>> Setup System Path variable. Append this: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64. Assuming that you have the same WDK installation path.

>> Create named pipe. VM should not be running. Open VM settings and click Add… Create a serial port. Choose Output to named pipe for the port type. Choose a name for pipe, for ex. \\.\pipe\mykdpipe. Choose This end is the server. The other end is a virtual machine. Check Connect at power on. Click Finish.

>> Goto vm settings, open Serial Port settings and enable Yield CPU on poll.

>> Enable debugging. Run virtual machine, run command line as administrator and execute:

bcdedit /debug ON
bcdedit /dbgsettings serial debugport:2 baudrate:115200

Restart virtual machine to enable kernel debugging and shut it down.

>> Launching Kernel Debugging session. Run command line as administrator and execute:

kd -logo .\logs.txt -k com:pipe,port=\\.\pipe\mykdpipe,resets=0,reconnect

>> Start virtual machine. When the vm has completed system startup, issue a break-point command (CTRL+C) in command line on the host machine to suspend execution of vm(Win 7).

>> To exit kd.exe execute the following commands:

bc *

Clears all breakpoints


Allow vm to continue executing/working

This guide is also working for Windows 8.1 inside virtual machine.

Categories: Kernel, Rootkits Tags: , , ,
%d bloggers like this: