My role as a device driver developer and student of Windows NT internals often requires me to go beyond where standard Win32 debuggers, such as Microsoft Visual C++ (VC++), can go. For stepping through NT's kernel, or tracing the execution flow from user space into the kernel, you need a kernel-mode debugger. Microsoft provides WinDbg as part of its Windows NT Software Development and Device Driver Development kits, so this product is essentially free when you buy a Microsoft Developer Network subscription. However, WinDbg has several limitations. The only alternative debugger on the market is Compuware NuMega's SoftICE for NT, and although it has a high price tag, it's a necessity for a serious kernel-mode programmer.
To understand why SoftICE is attractive, you must first understand what you get with WinDbg. It's a two-computer debugging solution, where the command GUI runs on a computer that you connect to the one you are debugging (the target) via a standard NULL-modem serial cable. The WinDbg GUI interprets commands you enter for setting breakpoints in device drivers or the NT kernel, for freezing and unfreezing the target, and for stepping through instructions. One of WinDbg's features is that the GUI is a standard Windows application with subwindows for displaying disassembly, source code, a call stack, local variables, and processor registers. Some of the drawbacks to relying on WinDbg include the following: It has numerous quirks and bugs, and Microsoft doesn't support it; it has poor support for stepping through code not related to a device driver under development; it can't follow a transition from user mode to kernel mode or vice versa; and it transmits large amounts of data across a serial line, which is slow.
SoftICE runs on the computer that you are debugging, which makes it extremely responsive when scanning memory or capturing large amounts of debug output, and it doesn't suffer some of WinDbg's limitations. When you break into SoftICE— either when you hit a breakpoint during program execution or when you enter a hot key—it freezes the machine, stores away the video display, and pops up its own character-oriented windows. The interface is essentially the same as WinDbg's and shares many of the same commands, but it's less flexible and less attractive. Nevertheless, the ability to set breakpoints in the kernel or standard device drivers and then step up into a standard program such as NT Explorer makes SoftICE a powerful tool for understanding how NT works. This comprehension is especially desirable in the world of device driver programming, where many APIs are poorly documented. In addition, SoftICE has intrinsic knowledge of several key NT data structures that WinDbg doesn't, which simplifies navigating past the boundaries of your device driver.
SoftICE's utility doesn't stop at kernel-mode programming—it's also a powerful Win32 debugger. Although it's difficult to debug interapplication interactions, or interactions between an application and the OS, using Visual Studio's debugger, SoftICE makes this task relatively easy. Again, you can seamlessly follow execution from your Win32 application into system DLLs and then into the kernel and back.
SoftICE's relatively high price tag, especially when you compare it to the cost of WinDbg (free), might make it a hard purchase to justify. In the world of device driver development, however, this tool is essential, even if your primary debugger will continue to be WinDbg. You can always pull out SoftICE to help you in situations where WinDbg isn't up to the task. Perhaps the most compelling reason to move to this product is that Compuware NuMega fully supports it. When you're debugging complex device driver code, the most annoying bugs are those in the tools you are using; a product that provides bug fixes in a timely manner is worth its weight in debugged lines of code. SoftICE will continue to be the coauthor of my NT Internals column, helping me to understand NT beyond its documentation.
| Contact: Compuware NuMega * 603-578-8400 |