1. Set the symbol path
Open WinDbg, in the menu symbol File path setting
"Srv*d:\symbols*http://msdl.microsoft.com/download/symbols"
D:\symbols is a folder on your local disk that is used to download Microsoft Symbol files
Also, add the PDB file path of the debug target program to the back
Example: Srv*d:\symbols*http://msdl.microsoft.com/download/symbols;d:\develop\projects\service\bin\release
2. Enable tracking of stack information in user mode
Run gflags.exe/i Xxx.exe +ust
Xxx.exe is the target program name for debugging
3. Start the target program with WinDbg or attach to the target process
4. View stack information
Run!heap-s
Display results similar to the following
Ntglobalflag enables following debugging aids for new heaps:
Validate Parameters
Stack back traces
Heap Flags reserv Commit Virt free List UCR Virt Lock Fast
(k) (k) (k) (k) Length blocks cont. heap
-----------------------------------------------------------------------------
00150000 58000062 1 1 1 0 0 L
00250000 58001062 1 1 0 0 L
00260000 58008060 64 12 12 10 1 1 0 0
00330000 58001062 261184 239484 239484 14 4 1 0 0
-----------------------------------------------------------------------------
See from the example 00330000 of the heap memory footprint is significantly higher
5. View statistics for a specific heap
Running!heap-stat-h 00330000
Show statistics for this heap
Displays a result similar to the following
Heap @ 00330000
Group-by:totsize max-display:20
Size #blocks Total (%) (Percent of total busy bytes)
1F64 76c6-e905f58 (99.99)
1800 1-1800 (0.00)
824 2-1048 (0.00)
238 2-470 (0.00)
244 1-244 (0.00)
4c 5-17c (0.00)
B0 2-160 (0.00)
2-10C (0.00)
3-F0 (0.00)
2-e8 (0.00)
4-E0 (0.00)
3-d8 (0.00)
C4 1-c4 (0.00)
2-C4 (0.00)
Be 1-be (0.00)
B8 1-b8 (0.00)
AE 1-ae (0.00)
AC 1-ac (0.00)
2-AA (0.00)
A4 1-a4 (0.00)
You can see that a block with 0x76c6 1f64 bytes is allocated, accounting for 99.99%
6. Display the memory address of the block
Running!heap-flt s 1F64
Show memory address with block size 1f64
_heap @ 150000
_heap @ 250000
_heap @ 260000
_heap @ 330000
Heap_entry Size Prev Flags userptr usersize-state
003360E0 03f0 0000 [] 003360e8 01f64-(busy)
00338060 03f0 03f0 [] 00338068 01f64-(busy)
00339fe0 03f0 03f0 [] 00339fe8 01f64-(busy)
0033bf60 03f0 03f0 [] 0033bf68 01f64-(busy)
0033dee0 03f0 03f0 [] 0033dee8 01f64-(busy)
01420040 03f0 03f0 [] 01420048 01f64-(busy)
01421FC0 03f0 03f0 [] 01421fc8 01f64-(busy)
01423f40 03f0 03f0 [] 01423f48 01f64-(busy)
01425EC0 03f0 03f0 [] 01425ec8 01f64-(busy)
01427e40 03f0 03f0 [] 01427e48 01f64-(busy)
01429DC0 03f0 03f0 [] 01429dc8 01f64-(busy)
0142BD40 03f0 03f0 [] 0142bd48 01f64-(busy)
0142DCC0 03f0 03f0 [] 0142dcc8 01f64-(busy)
0142FC40 03f0 03f0 [] 0142fc48 01f64-(busy)
01431BC0 03f0 03f0 [] 01431bc8 01f64-(busy)
01433B40 03f0 03f0 [] 01433b48 01f64-(busy)
01435AC0 03f0 03f0 [] 01435ac8 01f64-(busy)
01437a40 03f0 03f0 [] 01437a48 01f64-(busy)
014399C0 03f0 03f0 [] 014399c8 01f64-(busy)
0143b940 03f0 03f0 [] 0143b948 01f64-(busy)
0143D8C0 03f0 03f0 [] 0143d8c8 01f64-(busy)
0143f840 03f0 03f0 [] 0143f848 01f64-(busy)
014417C0 03f0 03f0 [] 014417c8 01f64-(busy)
01443740 03f0 03f0 [] 01443748 01f64-(busy)
014456C0 03f0 03f0 [] 014456c8 01f64-(busy)
01447640 03f0 03f0 [] 01447648 01f64-(busy)
014495C0 03f0 03f0 [] 014495c8 01f64-(busy)
0144b540 03f0 03f0 [] 0144b548 01f64-(busy)
0144D4C0 03f0 03f0 [] 0144d4c8 01f64-(busy)
0144f440 03f0 03f0 [] 0144f448 01f64-(busy)
014513C0 03f0 03f0 [] 014513c8 01f64-(busy)
01453340 03f0 03f0 [] 01453348 01f64-(busy)
014552C0 03f0 03f0 [] 014552c8 01f64-(busy)
01457240 03f0 03f0 [] 01457248 01f64-(busy)
014591C0 03f0 03f0 [] 014591c8 01f64-(busy)
0145b140 03f0 03f0 [] 0145b148 01f64-(busy)
0145D0C0 03f0 03f0 [] 0145d0c8 01f64-(busy)
0145f040 03f0 03f0 [] 0145f048 01f64-(busy)
01460FC0 03f0 03f0 [] 01460fc8 01f64-(busy)
01462f40 03f0 03f0 [] 01462f48 01f64-(busy)
01464EC0 03f0 03f0 [] 01464ec8 01f64-(busy)
01466e40 03f0 03f0 [] 01466e48 01f64-(busy)
01468DC0 03f0 03f0 [] 01468dc8 01f64-(busy)
7. View the call stack information
You can use any one of the USRPTR values to query
!heap-p-A 0143d8c8
Address 0143d8c8 found in
_heap @ 330000
Heap_entry Size Prev Flags userptr usersize-state
0143d8c0 03f0 0000 [] 0143D8C8 01f64-(busy)
trace:0025
7C96D6DC ntdll! Rtldebugallocateheap+0x000000e1
7c949d18 ntdll! rtlallocateheapslowly+0x00000044
7c91b298 ntdll! Rtlallocateheap+0x00000e64
102c103e msvcr90d!_heap_alloc_base+0x0000005e
102cfd76 Msvcr90d!_heap_alloc_dbg_impl+0x000001f6
102CFB2F msvcr90d!_nh_malloc_dbg_impl+0x0000001f
102CFADC msvcr90d!_nh_malloc_dbg+0x0000002c
102db25b msvcr90d!malloc+0x0000001b
102bd691 Msvcr90d!operator new+0x00000011
102bd71f Msvcr90d!operator new[]+0x0000000f
4113d8 test2! allocatememory+0x00000028
41145C test2!wmain+0x0000002c
411a08 test2!__tmaincrtstartup+0x000001a8
41184f test2!wmaincrtstartup+0x0000000f
7c816fd7 kernel32! baseprocessstart+0x00000023
Article translations and excerpts from: http://www.codeproject.com/Articles/31382/Memory-Leak-Detection-Using-Windbg
windbg Command Line Reference
Http://windbg.info/doc/1-common-cmds.html
How to use WinDbg to detect memory leaks