windbg-mcp
An MCP server that exposes WinDbg/DbgEng to AI agents
(Claude Code, Claude Desktop, Cursor, …) over stdio. It drives a live debugger engine for
user-mode, kernel-mode, crash-dump, and Time Travel Debugging (TTD) workflows.
The low-level engine bindings live in win-kexp
(src/dbgeng.rs); this crate adds a dedicated engine thread and the rmcp tool surface on top.
Architecture
engine.rs — DbgEng requires serialized, single-thread access (WaitForEvent must run on the
session-owning thread), so the DebugEngine is created on, and confined to, one OS worker thread.
Async tool handlers marshal closures onto it via an mpsc channel with oneshot replies and a
per-call timeout. A catch_unwind guard turns a panic in one operation into a failed call rather
than a dead thread.server.rs — the MCP tools (see below), built with rmcp's #[tool_router]/#[tool_handler].ttd.rs — locates TTD.exe and launches trace recording.main.rs — tokio + stdio transport. Logs go to stderr (stdout is the JSON-RPC channel).
Requirements
- Windows x64 (host bitness must match the target).
dbgeng.dll / dbghelp.dll — present in System32 on modern Windows 11 (verified with
10.0.26100). This is enough for live user-mode/kernel debugging and crash-dump analysis.- For crash-dump
!analyze (and any other !-extension command), the engine needs the
WinDbg winext\ extensions bundled next to the binary — System32's engine ships none, so
!analyze would return "No export analyze found". See Bundling the WinDbg engine below.
- For Time Travel Debugging (
.run) replay, the System32 engine is not enough — it rejects
.run traces (0x80070057). You need the WinDbg engine (which bundles the TTD replay
components) loaded next to the binary — see TTD engine below.
TTD.exe (the standalone Time Travel Debugging recorder) for record_trace — ships with the
WinDbg / TTD store packages; put it on PATH.- A reachable symbol server (e.g.
srv*https://msdl.microsoft.com/download/symbols) for symbol-name
queries like ttd_calls("ucrtbase!_stdio_common_vfprintf"). Offline, address-based queries and the
data model still work; symbol names won't resolve.
- Administrator for live kernel debugging and TTD recording (not for replay).
Build or download
Prebuilt Windows x64 binaries are attached to each
GitHub release as
windbg-mcp-vX.Y.Z-windows-x64.zip (with a SHA256SUMS.txt to verify the download
against — the skill's setup.md snippet does this for you) — no Rust toolchain needed.
To build from source instead:
cargo build --release
win-kexp is fetched automatically as a git dependency from glslang/win-kexp — no sibling checkout needed.
Bundling the WinDbg engine
Needed for two things: TTD .run replay (System32's engine rejects traces with 0x80070057) and
crash-dump !analyze (which lives in the winext\ extensions that System32 doesn't ship).
DebugCreate binds to whichever dbgeng.dll the loader finds first, and the app directory is
searched before System32, so the copied WinDbg engine (which replays TTD traces and ships the
extensions) wins. One-time, from the installed WinDbg store package:
$wd = (Get-AppxPackage Microsoft.WinDbg).InstallLocation + "\amd64"
$dst = "C:\workspace\windbg-mcp\target\release"
Copy-Item "$wd\dbgeng.dll","$wd\dbghelp.dll","$wd\dbgcore.dll","$wd\dbgmodel.dll",`
"$wd\symsrv.dll","$wd\msdia140.dll" $dst -Force
Copy-Item "$wd\ttd" "$dst\ttd" -Recurse -Force # TTDReplay*.dll, TtdExt.dll, TTDAnalyze.dll, ...
Copy-Item "$wd\winext" "$dst\winext" -Recurse -Force # ext.dll (!analyze), kext.dll, … — crash-dump triage
anthropics
MemPalace
mksglu
Madhan230205
huggingface
edwingao28