Tracing a Windows* Kernel Function

To trace the frequently called nt!KiSwapThread Windows* kernel function, perform the following steps:

  1. Set an IP filter (to avoid tracing debugger communication):

    !setipfilter nt!KiSwapThread (nt!KiSwapThread+0x6e1)

  2. Set a breakpoint at that function:

    bp nt!KiSwapThread

  3. Enable tracing, run twice (the first hit stops at that function, the second hit stops after tracing), and disable tracing:

    !enable; g; g; !disable

  4. Decode:


WinDbg* dumps the recorded trace data:

6: kd> !decode
fffff803`bcc4adae 440fb6f0        movzx   r14d,al
fffff803`bcc4adb2 488bbbc8000000  mov     rdi,qword ptr [rbx+0C8h]
fffff803`bcc4adb9 0fba73740a      btr     dword ptr [rbx+74h],0Ah
fffff803`bcc4adbe 4c89a424b0000000 mov    qword ptr [rsp+0B0h],r12
fffff803`bcc4adc6 723b            jb      nt!KiSwapThread+0x1a3 (fffff803`bcc4ae03)
fffff803`bcc4adc8 4584f6          test    r14b,r14b
fffff803`bcc4adcb 0f858d010000    jne     nt!KiSwapThread+0x2fe (fffff803`bcc4af5e)
fffff803`bcc4add1 400fb6cd        movzx   ecx,bpl
fffff803`bcc4add5 440f22c1        mov     cr8,rcx
fffff803`bcc4add9 4c8b742460      mov     r14,qword ptr [rsp+60h]

For more complete information about compiler optimizations, see our Optimization Notice.