WinDbg : The r (register) command

WinDbg : The r (register) command

To access the registers currently in the system we use the register (r) command.

kd> r
eax=827411fc ebx=91387b02 ecx=00000001 edx=00000000 esi=82733d20 edi=00000000
eip=826495cb esp=91387b24 ebp=91387b3c iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
nt!KiTrap0E+0x2cf:

826495cb 833d04db768200  cmp     dword ptr [nt!KiFreezeFlag (8276db04)],0 ds:0023:8276db04=00000000

To see the value of a specific register use it's name with r.

kd> r eax

eax=827411fc

The r command can be used to both read and write into registers.

r can also be used to access pseudo-registers and read and write them. The debugger always interprets its first argument as a register or pseudo-register. (An at (@) sign is not required or permitted.) If there is a second argument for the r command, it is interpreted according to the default expression syntax. 

If the default expression syntax is C++, we must use the following command to copy the $t2 pseudo-register to the $t1 pseudo-register.

0:000> r $t1 = @$t2 

Notice that even though both t1 and t2 are registers, the at (@) is only needed in the right hand side.

To write a value to a register or pseudo-register, we do the following:

0:000> r $t0 = 7

for a normal register

0:000> r eax = 7

or to put MyVar multiplied by 128 into a pseudo register.

0:000> r $t1 = 128*poi(MyVar)

A pseudo-register is always typed as an integer, unless the ? switch is used together with the r command. Using this switch, the pseudo-register acquires the type of whatever is assigned to it. 

For example, the following command assigns the UNICODE_STRING** type and the 0x0012FFBC value to $t15

0:000> r? $t15 = * (UNICODE_STRING*) 0x12ffbc

R is a very versatile command, and has several switches and customizations. Please consult the WinDbg manual if you need any thing specific.