<RCtrl> To unlock keyboard
        after returning control from TRW

        (possible cause - hot key <Ctrl> modifier)

        --------------------------------------------------------

<CtrlAltDel>
        Reboot immediately

        --------------------------------------------------------

<Esc>   Clear command line

<Space> Complete command to that at bottom

<Up>    Walk history of commands
<Dn>    those begin from already entered chars

        --------------------------------------------------------

<char>  Modify memory dialog
<Space>

<AltG>  Modify address dialog
<RClick>

<Lf>    Shift window text
<Rt>

        --------------------------------------------------------

<AltUp>
<AltDn>
<AltPgUp>
<AltPgDn>
        Scroll text in main data window

        From any not floating window
        Command line not touched

        --------------------------------------------------------

<CtrlLf>
<CtrlRt>
        Shift text in main disassembler window

        From any not floating window
        Command line not touched

<CtrlUp>
<CtrlDn>
<CtrlPgUp>
<CtrlPgDn>
        Scroll text in main disassembler window

        From dasm: highlighting bar not touched
        From any not floating window
        Command line not touched

        --------------------------------------------------------

<ShftLf>
<ShftRt>
        Shift text in command window

        Only from command window
        Command line not touched

<ShftUp>
<ShftDn>
<ShftPgUp>
<ShftPgDn>
        Scroll text in command window

        Only from command window
        Command line not touched

        --------------------------------------------------------

<CtrlZ> Toggle Zoom state of
        current command/main disassembler/main data window

<Esc>   Toggle not floating windows on/off

<Esc>   Switch from floating to command window

<Tab>   Switch between command and floating windows
        Also from any not floating to floating

        --------------------------------------------------------

<AltCtrlLf>
<AltCtrlRt>
<AltCtrlUp>
<AltCtrlDn>
        Move entire TRW screen

        From any not floating window
        Command line not touched

        --------------------------------------------------------

        All numbers are hex except noted otherwise
        Parenthesize expressions if space-separated

                1+2 or (1 + 2)

        Maximum command length is 159 chars
        Maximum number of command parameters is 80

        --------------------------------------------------------

'^'     Can precede command to hide its output

';'     Separates commands

                ?1;?2;?3

        --------------------------------------------------------

.

        Display current instruction, same as "U cs:eip"

?

        Evaluate single decimal number (w/o sign)
        Evaluate expression (all numbers are hex)

                ? 100        ; 64h
                ? -100       ; -256 (-100h)

                ? 123+34     ; 157h
                ? 4d2h+9     ; 4dbh
                ? esi/4      ;
                ? (3+2)<<1   ; 10

                ?  1 + 2     ; error
                ? (1 + 2)    ; 3

                ? ds:esi     ; ds:ds, NOT ds:esi
                ? cs:400000  ; cs:cs, NOT cs:400000

                ? *cs:400000 ; error
                ? cs:*400000 ; pointed value

A [address]

        Assemble code
        Stop on empty line entering

                jmp 401234   ; 401234h
                mov ax, 12   ;     12h

ADD DASM|DATA|STACK

        Create a new disassembler/data floating window
        Create a stack floating window only if absent

                add dasm
                add data
                add stack

ADDR

        Display context list

ADDW [pos] L|R|T|B DASM|DATA|REG

        Add a disassembler/data/reg window to the current CPU window
        Position is of the form Left|Right|Top|Bottom

                addw     R dasm
                addw 2   L data
                addw 2 2 T reg

BC [num|*]

        Break point clear

BD [num|*]

        Break point disable

BDOS

        Break on DOS program starter (RETF instruction)

        BDOS == BPMX &FFFF:A522 (WinME address)

BE [num|*]

        Break point enable

BL

        Break point list

BMSG  hwnd [msg]
BPMSG hwnd [msg]

        Set a breakpoint on a window message

        BPMSG == BMSG

                bmsg 12c wm_destroy

BP  [[seg:]address] [IF (condition)] [DO "statement"]
BPX [[seg:]address] [IF (condition)] [DO "statement"]

        Set a breakpoint on execute

        TRW will try Debug Register first
        If that fails, inserts int 3 (0xCC) into the user code

        As a special case, if omit address, with only conditions

		g if (condition)

        TRW will run the program step by step,
        check the condition for each step

		g if ((byte)*eip==c3 && eip<402000)

        Special case

                mov ax, 1680
                int 2f       ; iret from PM causes skipping
                nop          ; set BPINT3 here (BPX NOT breaks)
                nop          ; set BPX    here
                ret

        Shortcut: F9 (for "BPX")

BP IF (condition)

        Set a breakpoint on a condition

                bp if (eax>=3456787)
                bp if (dx<543)
                bp if (ch==23)

                go if (ah!=34)

BPE num

        Break point edit

BPINT number|-R

        Set/Remove breakpoint on interrupt
        Number is truncated to byte (BAD21 == 21)
        Do NOT use "BPINT 3" (use "I3HERE ON" instead)

        BPINT -R removes the breakpoint

        Plug-in command

BPINT3 address

        Set a break point by inserting int 3 (0xCC) into user code

BPIO port

        Set a debug register breakpoint on port I/O

BPM[B|W|D] address R
BPM[B|W|D] address W
BPM[B|W|D] address RW
BPM[B|W|D] address X

        Sets a hardware breakpoint with DRx

        BPM == BPMB

BPMX address

        Sets an executive breakpoint with DRx

        This is the same as "BPM address X"

CLEARDR

        Clear DRx registers

CLS

        Clear command window and its history
        History can be saved to file from TRW File menu

CMT address 'comment'

        Define comment

                cmt cs:eip      'Check Point'
                cmt 28:c0001000 'VMM Begin'
                cmt 28:c0001005  Continue     ; will be CONTINUE

CODE ON|OFF|width

        Set disassembler code width

                code on  ; 5 (hard-coded)
                code off
                code a   ; hex

CWS

        Clear command window and its history
        History can be saved to file from TRW File menu

        Also close stack floating window

        Shortcut: F2 (command line not touched)

D[|B|W|D] [address]

        Dump memory in current|Byte|Word|Dword format

D[|B|W|D] range >file

        Perform a memory dump to the data window,
        or save a memory dump to file

                d 401000
                d cs:402000
                d 401000,402000 >file
                d 401000 L 100  >file

        Range definition in "S"

        Codes [01..1f] not blanked

        e trw2000+19f1b 20 ; blank them     (before >file)
                        01 ; leave them
                        xx ; blank [00..xx) (xx > 00, it's EOL there)

E [address [pattern]]

        Edit memory

                e                    ; focus data window
                e ds:edi             ; also
                e ds:edi 'nothing' 0 ; write pattern

        Pattern definition in "S"

        Maximum allowed pattern size is 40 (decimal) bytes
        NO overflow checking performed

        Shortcut: F7 (for "E")

EC

        Switch between code and command windows

        Shortcut: F6

EV

        Evaluate expression (all numbers are hex)
        Identical to "?" except
        result displayed in seg:address format

                ev ds:esi     ; ds:ds, NOT ds:esi
                ev cs:400000  ; cs:cs, NOT cs:400000

                ev *cs:400000 ; error
                ev cs:*400000 ; pointed value

EXP !
EXP module_name!
EXP partial_export_name

        Display matching exported API calls
        Search all of the exported API function names
        in all referenced modules

                exp !
                exp kernel32!
                exp *
                exp Get*
                exp *window*

        Not supported in VM mode

EXP16

        Display 16-bit exports

EXP32

        Display 32-bit exports

FAULTS [ON|OFF]

        Display/Enable/Disable system fault trapping

FILE [file]

        Select/Display source file

FKEY [F# "string"]

        Display/Set function keys

                fkey
                fkey F10 "D 2;U 3"

FONT 1|2

        Set graphics display font size

G [[seg:]address] [IF (condition)] [DO "statement"]

        Run

                g address        ; run to address,
                                 ; same as "gox address"
                g if (condition) ; run with condition

GDT [selector]

        Display Global Descriptor Table,
        or specific selector info

GO [[seg:]address] [IF (condition)] [DO "statement"]

        Go [to address], or [until condition]

                go if (eip>401000 && eip<10000000)

GO*

        Set the breakpoint, go, and clear it after the break
        Parameters are identical to BP*

H    [command]
HELP [command]

        Display help for all commands,
        or the referenced command in detail

        Shortcut: F1 (for "H")

                h    bpx
                help bpx

HBOOT

        Reboot

HEAP

        Display heap info
        Not supported in VM mode

HERE

        Go to here

        TRW will try Debug Register first
        If that fails, inserts int 3 (0xCC) into the user code

        t"]

        Run

                g address        ; run to address,
                                 ; same as "gox address"
      here NOT breaks (by DR)
                nop          ; here ok
                ret

        Shortcut: F8

HOTKEY

        Display current hot keys,
        and allow you press a new key
        to display its value

HWND [hwnd]

        Display windows list
        Also detailed info for specified window

I3HERE [ON|OFF]

        Display/Enable/Disable catching int 3 by TRW

IDT [int_num]

        Display Interrupt Descriptor Table,
        or specific interrupt info

INT41 [ON|OFF]

        Display/Enable/Disable TRW as system debugger

LDT [selector]

        Display Local Descriptor Table,
        or specific selector info

LINES 25..50

        Set screen lines

                lines
                lines 33 ; decimal

LOG2 [file|OFF]

        Display/Enable/Disable logging the execution of program

                log2 c:\trw.log    ; begin log
                g if (eip>401000)  ; run a soft breakpoint,
                                   ; TRW will log all instructions
                log2 off           ; end log, and close file

        Plug-in command

MAKEPE [file [IMTE]]

        Make a valid PE file from program's memory image
        Default file name '\newpe.exe'
        Current EIP will be entrypoint of new PE

        For 32-bit DLL you must specify its IMTE
        and make sure the DLL is in current context
        Command 'mod32 dllname' will show its IMTE

MOD16 [.|hmod|mod_name]

        Display 16-bit modules list
        Also detailed info for specified module

                mod16
                mod16 13f
                mod16 kernel
                mod16 kern         ; NO info
                mod16 kern*        ; NO info
                mod16 .            ; for current module

MOD32 [.|hmod|mod_name]

        Display 32-bit modules list,
        Also detailed info for specified module

                mod32
                mod32 1cf
                mod32 kernel32.dll
                mod32 kern         ; kernel32.dll
                mod32 kern*        ; NO info
                mod32 .            ; for current module

NAME address 'name'

        Define symbol name

                name cs:eip      'CheckPoint'
                name 28:c0001000 'VMM Begin'  ; spaces are possible
                                              ; but not recommended
                name 28:c0001005  Continue    ; will be CONTINUE

P

        Step over one instruction

        If seems to stop responding after CLI instruction,
        press F5 or F12

        Special        Run

                g address        ; run to address,
                                 ; same as "gox address"
      executes w/o break here (need BPINT3)
                nop
                ret

        Shortcut: F11

PAGE address

        Display memory page info

                page 400000

PAGEIN address

        Load the not present page to memory

                pagein cs:401000

PDLL32 name

        Run until 32-bit DLL entrypoint

                pdll32 mydll32.dll

        Maximum allowed name length is 40 (decimal) chars
        NO overflow checking performed

PEDUMP [file [IMTE]]

        Dump PE program's memory image to file
        Default file name '\dump.exe'

        For 32-bit DLL you must specify its IMTE
        and make sure the DLL is in current context
        Command 'mod32 dllname' will show its IMTE

        You can use G_Rom's MakePE to rebuild a valid PE

        Plug-in command ("VER PEDU" is internal)

PHYS address

        Physical to Linear

PLUGLIST

        List plug-ins

PMODULE

        "PRET" until cs:eip in the module
        Run only in user mode

PNEWSEC

        Go until entering a new section in PE image

PRET

        Run until RET, RETF, IRET

        Shortcut: F12

PROC [name]

        Display process list
        Also detailed info for specified process

R [name value]

        Change register

                r          ; focus registers window
                r ax  1234
                r eax 1234

RS

        Restore user Screen until keypress

        Shortcut: F3

S [range pattern]

        Search in memory

                s                    ; farther search

                s 0 L ff 'window'
                s 100,200 'bug12' 34

        Range

                0,ff                 ; from ??:0 to ??:ff
                                       (data window segment)
                ds:0,ff              ; from ds:0 to ds:ff

                ds:0,ds:ff           ; invalid

                0 L ff               ; Length
                0 L -1               ; entire
                1 L -1               ; invalid (1 + ffff ffff = 0) < 1

                ds:esi L ecx         ; ok
                es:edi L ecx         ;

        Pattern

                0                    ; single byte
                0 1                  ; sequence of bytes

                [1234]5678           ; [d]word NOT allowed

                's'                  ; single char
                'string'             ; CASE-sensitive
                'string' 0           ; no comma-separated
                'a' 'b'              ; 'ab'
                'a''b'               ; 'ab'

                "error"              ; dquotes NOT allowed

                1+2                  ; 3
                ax ax>>8             ;  AX as in memory
                eax ...8 ...10 ...18 ; EAX as in memory

        Maximum allowed pattern size is 40 (decimal) bytes
        NO overflow checking performed

SFILE [name]

        Save current symbol table to name in ESF format
        Without name display list of ? if present

SRC

        Toggle source mode, can be source/mixed/code

SS range pattern

        Search in memory like "S" and display all found at once

        Maximum allowed pattern size is 40 (decimal) bytes
        NO overflow checking performed

STACK

        Display call stack
        Supports only Win32 & VxD linear addresses

        Plug-in command

SUSPEND

        Suspend current 32-bit thread, and leave TRW
        Hot keys to back (Ring3 resumes, Ring0 - not)

        Do not exit TRW while some suspended
        because that process stops responding and
        will cause an error and be closed by Win

SYM

        List all debug symbols

T

        Trace into one instruction

        If seems to stop responding after CLI instruction,
        press F5 or F12

        Shortcut: F10

TABLE [name]

        Select/Display a symbol table

TASK

        Display task list

THREAD [.|Ring0TCB]

        THREAD          ; display list of  threads
        THREAD .        ; display current  thread info
        THREAD Ring0TCB ; display Ring0TCB thread info

TRNEWDOS

        Catch next DOS program

        Not works as desired in WinME (use "BDOS" instead)

TRNEWTCB

        Catch next new thread at the first opcode
        32-bit or 16-bit app

        Do not run a Windows app from a DOS command prompt,
        or TRW will catch START.EXE

TRTCB Ring0TCB

        Catch an existing thread

U [address]
U range >file

        Disassemble to code window,
        or save disassembly output to a file

                u &c000:5678
                u 28:c0001000   >file
                u 401000
                u 401000,402000 >file
                u 401000 L 100  >file
                u cs:402000

        Range definition in "S"

VCALL *partial_name*|VxD_ID|service_num

        Display VxD calls

                vcall *   ;                display all VxD   calls
                vcall partial_name
                vcall num ; if num<10000h, display all VxDid calls
                          ; if num>10000h, display the VxD   call

                vcall 0d
                vcall 100001
                vcall *sys*
                vcall *thread*

        VMM        0001
        DEBUG      0002
        VPICD      0003
        VDMAD      0004
        VTD        0005
        V86MMGR    0006
        PAGESWAP   0007
        PARITY     0008
        REBOOT     0009
        VDD        000A
        VSD        000B
        VMD        000C
        VKD        000D
        VCD        000E
        VPD        000F
        BLOCKDEV   0010
        VMCPD      0011
        EBIOS      0012
        BIOSXLAT   0013
        VNETBIOS   0014
        DOSMGR     0015
        WINLOAD    0016
        SHELL      0017
        VMPOLL     0018
        VPROD      0019
        DOSNET     001A
        VFD        001B
        ...

VER [parameters]

        VER                    ; show TRW version

        VER BLUE               ; ? (nothing visual)
        VER ERRO               ; executes STI instruction
        VER INFO               ; TRW info
        VER KEEP               ; "X" w/leave TRW screen
        VER MEM                ; TRW memory usage
        VER PEDU [file [IMTE]] ; PEDUMP internal command
        VER SAY                ; TRW windows info
        VER SYM                ; symbols memory usage
        VER TEST               ; write 40 bytes
                               ; (somewhere in TRW stack)
                               ; to file C:\AU
                               ; (w/strange mouse effects)
        VER TST1               ; empty
        VER TST8 number        ; empty

        Shortcut: F4 (for "VER KEEP")

VM [ID]

        Display VM list
        Also detailed info for specified VM

VXD [VxD_name]

        Display VxD list
        Also detailed info for specified VxD

VXDSYM [ID SvcNum Symbol|R ID SvcNum]

        Load/Remove a VxD symbol

                vxdsym                       ; display list of
                                             ; loaded VxD symbols
                vxdsym 1 0 'Get_VMM_Version'
                vxdsym R 1 0

W range file

        Write memory to file

                w cs:eip,eip+100 c:\sav.bin
                w ds:401000,402000 file
                w 401000 L 100 c:\out.bin

        Range definition in "S"

WC [lines]

        Set the length, in lines, of the code window
        No parameter will toggle it on/off

                wc
                wc 25 ; decimal

WD [lines]

        Set the length, in lines, of the data window
        No parameter will toggle it on/off

                wd
                wd 25 ; decimal

WMSG [number|name]

        Display window message name by number and v.v.

                wmsg            ; display all messages
                wmsg 12
                wmsg wm_de      ; wm_destroy
                wmsg wm_destroy

        Total 359 messages recognized

                CB    34
                EM    36
                LB    40
                MN     8
                SBM    8
                STM    4
                WM   229

WR [lines]

        Set the length, in lines, of the reg window
        No parameter will toggle it on/off

                wr
                wr 5 ; decimal

WS

        Toggle stack floating window on/off
        Also focus if made on

        <Esc> switch from floating to command window
        <Tab> switch between command and floating windows
              also from any not floating to floating

X

        Return to Windows, host debugger or program

        Shortcut: F5

-> eof <-
