# Parse WinDbg wt command output by converting it into CSV

The output of the WinDbg wt command (trace and watch data) looks like this:

  105     0 [  0] MyModule!myFunction
1     0 [  1]   MyModule!ILT+1555(_printf)
9     0 [  1]   MyModule!printf
1     0 [  2]     MyModule!ILT+370(__stbuf)
11     0 [  2]     MyModule!_stbuf
1     0 [  3]       MyModule!ILT+1440(__isatty)
14     0 [  3]       MyModule!_isatty
50    15 [  2]     MyModule!_stbuf
17    66 [  1]   MyModule!printf
1     0 [  2]     MyModule!ILT+980(__output)
59     0 [  2]     MyModule!_output
39     0 [  3]       MyModule!write_char
111    39 [  2]     MyModule!_output
39     0 [  3]       MyModule!write_char

It may be easier to interpret by converting it into another format such as Comma Separated Values (CSV) and analyzing it using Microsoft Excel.

With Notepad++, open the Replace window a look for the following regular expression:

[ ]+([0-9]+)\s*([0-9]+)\s*$\s*([0-9]+)\s*$\s*(.*)

And replace with:

\1,\2,\3,"\4"

The final result should look like this:

105,0,0,"MyModule!myFunction"
1,0,1,"MyModule!ILT+1555(_printf)"
9,0,1,"MyModule!printf"
1,0,2,"MyModule!ILT+370(__stbuf)"
11,0,2,"MyModule!_stbuf"
1,0,3,"MyModule!ILT+1440(__isatty)"
14,0,3,"MyModule!_isatty"
50,15,2,"MyModule!_stbuf"
17,66,1,"MyModule!printf"
1,0,2,"MyModule!ILT+980(__output)"
59,0,2,"MyModule!_output"
39,0,3,"MyModule!write_char"
111,39,2,"MyModule!_output"
39,0,3,"MyModule!write_char"

# Win32 Mutex, HANDLEs and WinDbg !handle extension.

It turns out a mutex is like a lock that is shared between processes. So if we run two instances of the following program at the same time, the second instance will hang/wait 10 seconds before acquiring the mutex.

#include "stdafx.h"
#include <Windows.h>
#include <synchapi.h>

int main(int argc, _TCHAR* argv[])
{
WCHAR* cacheMutexName = L"HelloWorldMutex";
HANDLE handle = ::CreateMutex(nullptr, FALSE, cacheMutexName);

DWORD result = WaitForSingleObject(handle, INFINITE);

switch (result)
{
case WAIT_OBJECT_0:
printf("The thread got ownership of the mutex.\r\n");
break;
case WAIT_ABANDONED:
printf("The thread got ownership of an abandoned mutex.\r\n");
break;
}

// Countdown.
for (int i = 10; i > 0; i--)
{
wprintf(L"%d\r\n", i);
Sleep(1000);
}
wprintf(L"0\r\n");

ReleaseMutex(handle);
printf("Mutex released.\r\n");

return 0;
}

In Win32, once you get the mutex, you can distinguish between two different cases. The first case is WAIT_OBJECT_0 and it means the previous owner released the mutex properly by calling ReleaseMutex() and the second case is WAIT_ABANDONED and it means the previous owner terminated without calling ReleaseMutex().

To reproduce the WAIT_ABANDONED case with the sample program, press CTRL + C in the first instance before the countdown hits zero.

When using WinDbg, during live debugging or during dump analysis, the !handle extension comes very handy.

Just get the handle value:

0:000> dv
argc = 0n1
argv = 0x010f6f28
handle = 0x00000038
result = 0xcccccccc
cacheMutexName = 0x003f5858 "HelloWorldMutex"

And print all the handle info:

0:000> !handle 0x00000038 f
Handle 38
Type Mutant
Attributes 0
GrantedAccess 0x1f0001:
QueryState
HandleCount 3
PointerCount 98306
Name \Sessions\1\BaseNamedObjects\HelloWorldMutex
Object Specific Information
Mutex is Owned
Mutant Owner 11ac.1628

Now we know 11ac.1628 is the owner of the mutex:

If we print the call stack for each thread in the second instance of the program:

0:000> ~* kcn

.  0  Id: 29f8.778 Suspend: 1 Teb: 7f15c000 Unfrozen
#
00 ntdll!NtWaitForSingleObject
01 KERNELBASE!WaitForSingleObjectEx
02 KERNELBASE!WaitForSingleObject
03 MutexExample!main
04 MutexExample!__tmainCRTStartup
05 MutexExample!mainCRTStartup

#  1  Id: 29f8.ec4 Suspend: 1 Teb: 7f159000 Unfrozen
#
00 ntdll!DbgBreakPoint
01 ntdll!DbgUiRemoteBreakin
04 ntdll!_RtlUserThreadStart

We do not see any 11ac.1628 thread.

But if we print the call stacks of the first process intance:

0:000> ~* kcn

.  0  Id: 11ac.1628 Suspend: 1 Teb: 7fe7d000 Unfrozen
#
00 ntdll!NtDelayExecution
01 KERNELBASE!SleepEx
02 KERNELBASE!Sleep
03 MutexExample!main
04 MutexExample!__tmainCRTStartup
05 MutexExample!mainCRTStartup

#  1  Id: 11ac.1c48 Suspend: 1 Teb: 7fe7a000 Unfrozen
#
00 ntdll!DbgBreakPoint
01 ntdll!DbgUiRemoteBreakin


Then we see the 11ac.1628 thread.

In fact 0x11ac and 0x29f8 match the PID of the processes:

C:\>tlist

4524 MutexExample.exe
10744 MutexExample.exe

Happy handle debugging!

# Find and replace with regular expressions in Visual Studio 2013.

Lets say you have this:

FOO(Main)(int a);
FOO(Main_Bar)(int a);
FOO(Main_Foo)(int a);


And you want to convert it into this:

BAR MyClass::Main(int a);
BAR MyClass::Main_Bar(int a);
BAR MyClass::Main_Foo(int a);


Notice FOO is replaced with BAR MyClass:: and parenthesis around the method name are removed.

To make this happen, find this:

FOO$$([a-z_]*)$$

Notice that [a-z_]* is surrounded by an extra pair of parenthesis. That makes this match (capture group) reusable in the replace expression.

Then replace with this:

BAR MyClass::$1$1 is replaced with the value of the first capture grou, if we put more capture groups in the find expression, $2 will be the value of the second capture group and so on. One more thing, capture groups values can be used in the same find expression, e.g., to go from this: int MyClass::Main_Bar(int a); double MyClass::Main_Foo(int a); double MyClass::Main_Fizz(double a);  To this: Object MyClass::Main_Bar(Object a); double MyClass::Main_Foo(int a); Object MyClass::Main_Fizz(Object a); Find this: ([a-z_]*) MyClass::([a-z_]*)$$\1 a$$ \1 matches the value of the first capture group in the same find expression. And replace with this: Object MyClass::$2(Object a)

Notice the value type was only modified on those methods that have the same value type in the input parameter and in the return value.

Source: http://stackoverflow.com/questions/7848329/search-and-replace-in-visual-studio

# WinDbg go up (gu) without hitting any other breakpoint.

Today I defined hundreds of breakpoints, including breakpoints in functions A, B and C.

When I break into function A, I want to go up (run until the current function returns) without breaking into other breakpoint.

MyApp!A <--- First break.MyApp!main <--- I want to go back to main without breaking anywhere else.

Unfortunately, function A calls B and B calls C. So I have to break into B:

MyApp!B <--- Second break.MyApp!AMyApp!main

And then into C:

MyApp!C <--- Third break.MyApp!BMyApp!AMyApp!main

Before coming back to main.

And easy solution to this problem is to disable all breakpoints, go up, and re-enable all breakpoints, i.e.:

bd *; gu; be *;

You don’t have to remove B and C breakpoints and define them again after going up.

# Make a permanent command line alias for Notepad++ in Windows.

Are you a huge fan of Notepad++ like I am?

Well, if it is not enough with adding Notepad++ to the path:

c:\> set path=%path%;c:\Program Files (x86)\Notepad++

And registering the Notepad++ shell extensions:

regsvr32.exe "c:\Program Files (x86)\Notepad++\NppShell_05.dll"

Then, you may want to create a command line alias, so instead of:

c:\> notepad++ something.txt

You only type:

c:\> np something.txt

And still enjoy the benefits of not renaming the notepad.exe binary.

## Step 1

Create the batch script that registers the alias and save it as notepadAlias.cmd

@echo off
doskey np=notepad++ \$*

## Step 2

Create a Registry Editor script. Make sure to replace C:\\path\\to with the path where you saved the batch script:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
"CompletionChar"=dword:00000009
"DefaultColor"=dword:00000000
"EnableExtensions"=dword:00000001
"PathCompletionChar"=dword:00000009
"Autorun"="c:\\path\\to\\notepadAlias.cmd"

This will execute the batch script each time a command line is started.

## Step 3

Execute the Registry Editor script (double click  > Yes > Yes > Ok).

## Step 4

Open a new command line, type np and see Notepad++ opening.

# Upgrading from HDD to SSD (2014)

I have a 4 years old Sony Vaio EA with a Hard Disk Drive (HDD) with 5400 RPM rotation rate. Today I had nothing to do, so I decided to replace its HDD with a Solid State Drive (SSD). This should be a good performance improvement. I made some analysis using CrystalDiskMark before and after replacing the drive, and the images speak by themselves:

The results are awesome. Roughly, the read and write speeds increased 196%. But, how does this compare with modern machines in the market? Here are the Lenovo Yoga 2 Pro results, a machine that comes with a SSD by default:

Lenovo Yoga 2 Pro Results

The Lenovo machine is 100% faster reading, however writing both machines have almost the same performance.

# Emoji characters in all web browsers running on Windows?

The following CSS snippet will display your Emoji characters correclty in all browsers running on Windows, including Internet Explorer and Google Chrome.

.emojiText {
font-family:"Segoe UI Symbol";
}

Then apply the CSS style to your text:

<p>
Websites are funnier with
<span class="emojiText">&amp;#128565; &amp;#128126;</span>
</p>