Blog Post

Windows Kernel Debugging - Running WinDbg Preview In An Older OS

Installing WinDbg Preview in an operating system prior to Windows 10.

Windows Kernel Debugging - Running WinDbg Preview In An Older OS - Installing WinDbg Preview in an operating system prior to Windows 10.
This article contains undocumented features that are not supported by the original manufacturer. By following advice in this article, you're doing so at your own risk. The methods presented in this article may not work in the future.

Preface

I'm not going to ask why you want to install and run WinDbg Preview on an older operating system. I'm just going to point out that you can also install and run it in a virtual machine, in Windows 10, and treat it as a host kernel debugger, as it is explained in this article. You will avoid a lot of potential headache if you do that.

If you want to proceed, keep in mind that the older those other operating systems become, the less chances you will have that WinDbg Preview will run on them. During my tests on Windows 8.1, I already had some issues when WinDbg Preview was showing errors during launch. I am assuming that things will get worse with time for this approach.

Also keep in mind that, although the new WinDbg Preview is not supported on OS's prior to Windows 10, the original WinDbg can still run there. And it also supports fast kernel network debugging. The only thing that you'd be missing there is the new UI of the WinDbg Preview.

Limitations & Requirements

Let's review what you can and cannot do with an older OS:

  • Even if you manage to run WinDbg Preview, there will be errors. In some cases you can ignore (bypass) them, in some you can't.
  • There will be no automatic updates for WinDbg Preview, like it happens on Windows 10. (Windows 10 store apps have a very slick way of updating themselves without the need for a reboot. So this feature will not be supported on an older OS.)
  • You will need to install .NET Framework v.4.0 before you can run WinDbg Preview, since some of its components are built with it:
    Detect It Easy - DbgX.Shell.exe
    DbgX.Shell.exe file opened in "Detect It Easy" software.

Shortcut

Even though you can technically just copy the WinDbg Preview files from an already installed app on Windows 10 from the following location:

C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2007.6001.0_neutral__8wekyb3d8bbwe\

That way you will be getting only the installed files of the app. In the next section, I will show you how you can actually download the entire app package.

How to Extract Contents of .appx Package

Since WinDbg Preview comes from the Windows Store, it is delivered as the appx package. By default, Microsoft Store app will not allow you to download it manually, or to even see it. The installation is done in the background, without the user having any access to the appx package itself.

Tools

Next I will show you how you can download & extract files from the WinDbg Preview appx package.

To do that, we will need to install a couple of programs:

  • First off, I'd be doing all this in a VM, so that I can revert it back after I get the appx package files.
    There's really no need to keep Fiddler on your main system if you're not planning to use it further.
  • You will need any version of Windows 10 for this.
  • We'll need something to extract files from the appx package with. For that download and install WinRAR.
    WinRAR is a paid product. You don't have to pay for it to extract files described here. But in case you like that software, please consider paying for its license.
  • Then you will need some software to proxy your network connection. Let's use Fiddler. Download and install it.

Interception

Next steps will be to intercept the URL where the appx package is downloaded from. Before that we'll need to configure Fiddler.

Run Fiddler, and click WinConfig button when "AppContainer Configuration" window comes up:

AppContainer Configuration
"AppContainer Configuration" window in Fiddler.

Ignore all "Orphaned Exemption Record Found" message boxes by clicking No button.

In the "AppContainer Loopback Exemption Utility" window, click Exempt All to check all items in the list:

AppContainer Loopback Exemption Utility
"AppContainer Loopback Exemption Utility" window in Fiddler.

Then click Save Changes and close that window.

Search for Microsoft Store app in the Start menu and open it up, then search for WinDbg Preview in it:

Microsoft Store app - Search
Microsoft Store app, search for "WinDbg Preview"

Open it up. But before doing anything else, switch back to Fiddler and go to Edit -> Remove -> All Sessions:

Fiddler - main menu
Fiddler - main menu

This will clear the session list in Fiddler.

Then switch back to Microsoft Store app, and click the Get button for the WinDbg Preview app (or Install, if you downloaded it before):

WinDbg Preview download

As downloading of the app begins:

Download progress
Download progress of the WinDbg Preview app in the "Windows Store" app

Observe the Fiddler session list. You will be looking for a repeating pattern of the same URL for the moment when download progress bar was growing in the Windows Store app. In my case it was the pattern that began with the http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ URL.

On the side note, notice that the Windows Store app is using an unencrypted connection, beginning with http:, to download the appx package, which hypothetically subjects your Windows Store app downloads to the Man-In-The-Middle attack. Not good, Microsoft!

Right-click on that line in Fiddlers, then go to Copy -> Just Url:

Fiddler - sessions list menu

Then open your web browser and paste the URL into the address bar and hit Enter. This should download the raw appx package to your computer:

Google Chrome
Google Chrome, having downloaded WinDbg Preview raw appx package.

Extraction

Open WinRAR and drag-and-drop the appx package, that you just downloaded in your web browser, into it. You should now see the contents of the appx package displayed in WinRAR:

WinRAR
WinRAR with opened WinDbg Preview raw appx package.

Click Extract To on the top of the WinRAR window, and extract all the files into some folder on your disk:

WinRAR
WinRAR, "Extraction path and options" window, with C:\Users\Admin\Desktop\WinDbgPreview path to extract files to.

At this point, your selected folder on disk will contain files extracted from the downloaded appx package:

Windows Explorer
Windows Explorer showing contents of the C:\Users\Admin\Desktop\WinDbgPreview folder.

You can now close all other apps and save the folder your created above. (And revert your VM, if you did the extraction in it.)

This is what would've been downloaded in your appx package.

Installation

This part is very easy. Move the extracted appx package contents for the WinDbg Preview app to the target OS. (In my case I tried it with Windows 8.1.)

Since Microsoft doesn't install appx packages into the Program Files folder on the boot disk, we'll follow suit. In my case I moved all extracted files into the local data folder:

C:\Users\User\AppData\Local\WinDbgPreview\

After that simply run DbgX.Shell.exe file, and you should see WinDbg Preview loading up.

Note that in my case the WinDbg Preview app showed several error messages of missing APIs, that I was able to bypass:

DbgX.Shell.exe - Entry Point Not Found

The procedure entry point MiniDumpWriteDump could not be located in the dynamic link library C:\Windows\system32\vm3dum64.dll.

After that, the debugger UI loaded up and I was able to use it to connect to the kernel of another OS, that was running in another VM.

WinDbg Preview
WinDbg Preview running on Windows 8.1.

So the bottom line is that it kinda works. And, as of why would you want to do this? I'll leave it up to you ...

What about Windows 7?

I haven't gone that far back to test it. But this person claims to have done it.

Related Articles