On Windows 10, at the lower left of the desktop, click the magnifing glass. Type STORE
Open Microsoft Store.
In Microsoft Store, search for WinDbg, as shown below.
When it finds "WinDbg Preview", click the blue Get button.
A "Use across your devices" box pops up. Click "No, thanks".
Click the Start button and type WINDBG. Right-click "WinDbg Preview" and click "Run as Administrator". Approve the privilege escalation.
and open it.
Here you see Notepad loading the DLLs it uses.
Notice the address shown for ntdll, the user-mode face of the Windows kernel, outlined in red in the image below.
Open Process Explorer and click notepad.exe. If you can't find the "notepad.exe" process, just skip the usage of Process Explorer.
Click View, "Show Lower Pane".
Click View, "Lower Pane View", DLLs.
In the lower pane, right-click ntdll and click Properties.
As shown below, the load address shown here matches the first address shown in WinDbg.
In WinDbg Preview, in the center pane, scroll down to the bottom.
Here you can see that the program has stopped at a break instruction inside the ntdll module, as shown below.
From the menu bar, click View, Stack.
The lower right pane shows the stack frames, indicating that we are five calls deep, all within ntdll.
You see a long list of symbols used by Notepad.
To see the symbols containing the word main, execute this command:
You see a few symbols, including the entry point WinMain, as shown below.
The breakpoint is set, as shown below.
bu notepad!WinMain bl
The program stops at the WinMain breakpoint, as shown below.
You see a list of loaded modules. Some of them have .pdb files shown on the right, including ntdll, as shown below.
Those are symbol files that make debugging easier.
You see a list of the functions that are in progress at this point, as shown below.
This is the same list as the one that appears in the lower right pane, with more detail.
You see a few symbols, including ntdll!ZwCreateFile, as shown below.
Notepad hits the breakpoint, as shown below.
bu ntdll!ZwCreateFile g
Notepad hits the breakpoint.
Scroll back up to see the start of the k output, as shown below.
The first number is the processor number, and the second is the thread number.
When I did it, the breakpoint was hit by thread 8, running on processor 2. Your numbers may be different.
To see all the threads in the Notepad process, execute this command (the tilde character, a Shift+Backtick):
On my system, only one thread was running, as shown below.
There are two breakpoints, as shown below.
In the line for breakpoint 1, click Clear.
The system executes the bc 1 command for you.
Repeat the process to delete breakpoint 0.
PMA 430.1 Parent Process (15 pts)Launch Process Explorer. Find the Notepad process. (There may be more than one, as shown below.)
The flag is the name of the parent process, covered by a green box in the image below.
Process Explorer instructions updated 10-14-20
Bugs fixed 4-13-2021