A Windows kernel-mode debug message viewer with a WinForms GUI. Grease
Traditional kernel debuggers (WinDbg, KD) require enabling kernel debug mode and rebooting:
bcdedit /debug on
bcdedit /dbgsettings ...
This puts the system into a special state and slows it down.
(a bit from Ai):
Grease works on a normal, unmodified Windows boot. It loads as a standard demand-start WDM driver and communicates with the GUI over DeviceIoControl. No kernel debug transport, no second machine, no reboot into debug mode - just install the driver and go.
| WinDbg / KD | Grease | |
|---|---|---|
Requires bcdedit /debug on |
✅ yes | ❌ no |
| Requires reboot to enable | ✅ yes | ❌ no |
| Requires second machine / VM | often | ❌ no |
| Real-time GUI | ❌ no | ✅ yes |
| Works on production-like boot | ❌ no | ✅ yes |
- Kernel session — attach to the Windows kernel and capture
DbgPrintoutput, process/thread create/exit events, and module load events - Process sessions — attach to up to 8 user-mode processes simultaneously and capture their debug output
- Software breakpoints — set and remove INT3 breakpoints in kernel or user space; inspect x64 register context (RAX–R15, RFLAGS) on hit
- Symbol resolution — load PDB files into the kernel driver to resolve addresses to
module!functionnames - Message queue — lock-free ring buffer (4096 entries) with rate limiting (10 000 msg/window) and overflow tracking
- Output filtering — filter by severity (INFO / WARNING / ERROR / BREAKPOINT), source (kernel, driver, process), and event type (thread, module, process events)
- Themes — Dark, White, and Pink built-in themes; selection persisted across sessions
- Driver installer — install, start, stop, and uninstall
Grease.sysdirectly from the UI without touchingsc.exe
┌─────────────────────────────────────┐
│ Grease.exe (WinForms) │
│ MainForm ─ SessionManager │
│ OutputPanel ─ DetailsPanel │
│ DriverComm (DeviceIoControl) │
└──────────────┬──────────────────────┘
│ IOCTL over \\.\Grease
┌──────────────▼──────────────────────┐
│ Grease.sys (WDM driver) │
│ KernelSession ProcessSession │
│ BreakpointManager SymbolResolver │
│ MessageQueue (ring buffer) │
└─────────────────────────────────────┘
| File | Responsibility |
|---|---|
Driver.c / .h |
DriverEntry, IRP dispatch, global device context |
IoctlDispatcher.c |
Routes DeviceIoControl requests to subsystems |
KernelSession.c |
Registers/unregisters PsSetCreate* and DbgPrint callbacks |
ProcessSession.c |
Tracks up to 8 attached processes |
BreakpointManager.c |
INT3 injection, single-step resume, register capture |
SymbolResolver.c |
PDB loading and address-to-symbol lookup |
MessageQueue.c |
KSPIN_LOCK-protected ring buffer with rate limiting |
| File | Responsibility |
|---|---|
DriverComm.cs |
Wraps CreateFile / DeviceIoControl / CloseHandle |
DriverInstaller.cs |
SCM-based install / start / stop / uninstall |
MainForm.cs |
Main window, toolbar, status bar, polling loop |
OutputPanel.cs |
Virtual-mode list of debug messages |
ProcessPickerDialog.cs |
Running-process picker |
DebugMessage.cs |
Managed representation of GREASE_DEBUG_MESSAGE |
AppTheme.cs |
Theme definitions and persistence |
All codes use device type 0x8000 and METHOD_BUFFERED.
| IOCTL | Code | Description |
|---|---|---|
IOCTL_GREASE_ATTACH_KERNEL |
0x800 |
Start kernel session (callbacks + DbgPrint) |
IOCTL_GREASE_DETACH_KERNEL |
0x801 |
Stop kernel session |
IOCTL_GREASE_ATTACH_PROCESS |
0x802 |
Attach to a process by PID |
IOCTL_GREASE_DETACH_PROCESS |
0x803 |
Detach from a process by PID |
IOCTL_GREASE_SET_BREAKPOINT |
0x804 |
Set INT3 breakpoint (kernel or user) |
IOCTL_GREASE_REMOVE_BREAKPOINT |
0x805 |
Remove breakpoint by ID |
IOCTL_GREASE_READ_MESSAGES |
0x806 |
Dequeue pending debug messages |
IOCTL_GREASE_LOAD_SYMBOLS |
0x807 |
Load a PDB file into the symbol resolver |
IOCTL_GREASE_RESUME_THREAD |
0x808 |
Resume a thread paused at a breakpoint |
| Component | Requirement |
|---|---|
| OS | Windows 10 / 11 x64 |
| Driver signing | Test-signing mode or a valid EV code-signing certificate |
| User-mode app | .NET Framework 4.7.2 |
| Build tools | Visual Studio 2022 + WDK (Windows Driver Kit) |
| Privileges | Administrator — required to install the driver and open the device |
- Install the Windows Driver Kit matching your Visual Studio version.
- Open
Grease.slnin Visual Studio 2022. - Select the Kernel project, set configuration to
Debug x64orRelease x64. - Build — the output is
Grease.sys.
- Select the Grease (C#) project in the same solution.
- Build — targets .NET Framework 4.7.2.
Administrator privileges are required.
-
Enable test-signing if you are using an unsigned build:
bcdedit /set testsigning onReboot after running this command.
-
Launch
Grease.exeas Administrator. -
Click Install Driver in the toolbar, select the compiled
Grease.sys, and confirm. The driver is copied to%SystemRoot%\System32\drivers\and registered as a demand-start service. -
Click Attach Kernel to start capturing kernel-level events, or Attach Process to pick a running process by PID.
-
Debug messages appear in the Output panel in real time. Double-click any message to see full details and register context in the Details panel.
-
Use Output Filter in the toolbar to show or hide specific severity levels, sources, or event types.
-
Use File → Save Output to export the current message log to a
.txtfile.
From the application: stop all sessions, then use the SCM or sc.exe:
sc stop Grease
sc delete Grease
del %SystemRoot%\System32\drivers\Grease.sys
Or call DriverInstaller.Uninstall() programmatically — it stops the service, deletes the SCM entry, and removes the .sys file.
| Resource | Limit |
|---|---|
| Simultaneous process sessions | 8 |
| Breakpoints | 256 |
| Message queue depth | 4 096 messages |
| Rate limit | 10 000 messages per window |
| Symbol modules | 32 |
| Module name length | 64 wide chars |
| Function name length | 256 wide chars |