How to break into KD(Windbg) for Explorer crash

Question

I see a crash in Explorer.exe, due to our security s/w dll loaded in to the Explorer.exe.

The crash happens during the shutdown of the system. The VM is connected to the Kernel debugger. I don't see Kernel debugger breaks when exception happens. I tried all debug event filters. But I could not success.

Can someone suggest me, why could not I see the break when there is an exception. I want to break into the debugger, exactly at the time of exception. Can I use SXE ud "dllName" in kernelmode to notify my when a perticula dll gets unloaded?

the exception was Explorer Crash, "The instruction at 0x6ad88b5 refrernced memory at 0x0000000. The memory could not be read"

Answer 1

This should work:

1. Launch gflags.exe from WinDbg.
2. Go to "Image File" tab, type in "explorer.exe" and hit TAB key.
3. Check the first item "Stop on Exception".

Now when explorer.exe crash and kernel debugger is connected, WinDbg should break.

Answer 2

First, loading or unloading of DLL will not cause break when debugging in Kernel mode, they work well when doing user mode debugging however.

i believe in kernel mode debugging you should be able to break, when kernel mode binaries like .SYS file are loaded or unloaded.

Now, to your question. One way could be,

1. set Windbg as the default postmortem debugger. windbg.exe -I. This will ensure that you break in the debugger when any exception occurs. But this would be user mode debugging.

2. Next, given that you have a KD setup, just executing .breakin, will take you form user mode to kernel mode debugging.

Italic are debugger commands.