# wrmsr (write model-specific register) ### Command > wrmsr ### Syntax > wrmsr \[Msr (hex)] \[Value (hex)] \[core CoreNumber (hex)] ### Description Writes to the model-specific register using the '**wrmsr**' instruction. ### Parameters **\[Msr (hex)]** The index of MSR (`ECX` Register for '**wrmsr**' instruction). **\[Value (hex)]** The value to write on MSR (`EDX:EAX` for '**wrmsr**' instruction). **\[core CoreNumber (hex)] (optional)** The core that we want to write the MSR on it. {% hint style="success" %} If you don't specify the 'core' by default, it will be applied to all the cores. {% endhint %} ### Examples The following command shows how we can change the MSR register `c0000082` to ``fffff807`73553180`` using `wrmsr` command. ```diff HyperDbg> wrmsr c0000082 fffff807`73553180 ``` The following command shows how we can change the MSR register `c0000082` to the result of evaluating `nt!ExAllocatePoolWithTag+10` using `wrmsr` command. ```diff HyperDbg> wrmsr c0000082 nt!ExAllocatePoolWithTag+10 ``` The following command shows how we can change the MSR register `c0000082` to ``fffff807`73553180`` using `wrmsr` command for core `2`. ```diff HyperDbg> wrmsr c0000082 fffff807`73553180 core 2 ``` ### IOCTL This function works by calling **DeviceIoControl** with `IOCTL = IOCTL_DEBUGGER_READ_OR_WRITE_MSR`, you have to send it in the following structure. ```c typedef struct _DEBUGGER_READ_AND_WRITE_ON_MSR { UINT64 Msr; // It's actually a 32-Bit value but let's not mess with a register UINT32 CoreNumber; // specifies the core to execute wrmsr or read the msr // (DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES mean all the cores) DEBUGGER_MSR_ACTION_TYPE ActionType; // Detects whether user needs wrmsr or rdmsr UINT64 Value; } DEBUGGER_READ_AND_WRITE_ON_MSR, *PDEBUGGER_READ_AND_WRITE_ON_MSR; ``` Where `Msr` is `ecx` value for 'rdmsr' or 'wrmsr' instruction, `CoreNumber` is the target core that you want to read or write on it and `ActionType` shows whether it's an 'rdmsr' or 'wrmsr'. ```c typedef enum _DEBUGGER_MSR_ACTION_TYPE { DEBUGGER_MSR_READ, DEBUGGER_MSR_WRITE } DEBUGGER_MSR_ACTION_TYPE; ``` {% hint style="info" %} If you want to execute 'wrmsr' or 'rdmsr', you should set CoreNumber to `DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES`. {% endhint %} ```c #define DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES 0xffffffff ``` ### Remarks This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command. ### Requirements None ### Related [rdmsr (read model-specific register)](https://docs.hyperdbg.org/commands/debugging-commands/rdmsr) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.hyperdbg.org/commands/debugging-commands/wrmsr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.