Search Results

Search found 116 results on 5 pages for 'windbg'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 1/5 | 1 2 3 4 5  | Next Page >

  • What is your favourite Windbg tip/trick?

    - by user15071
    I have come to realize that Windbg is a very powerful debugger for the Windows platform & I learn something new about it once in a while. Can fellow Windbg users share some of their mad skills? ps: I am not looking for a nifty command, those can be found in the documentation. How about sharing tips on doing something that one couldn't otherwise imagine could be done with windbg? e.g. Some way to generate statistics about memory allocations when a process is run under windbg.

    Read the article

  • WinDbg fails to find symbol file reporting 'unrecognized OMF sig'

    - by sean e
    I have received a 64bit dump of a 32bit app that was running on Win7 x64. I am able to load it in WinDbg (hint: !wow64exts.sw) running on a 64bit OS. The symbols for most of my dlls are loaded properly. The pdb for one though does not load. The same pdb does load properly for the same dll when reading a 32bit dump on a different system. I've also confirmed that the dll and pdb match each other via the chkmatch utility. I tried .symopt +40 but the pdb still didn't load. I did !sym noisy then .reload - WinDbg reported: DBGHELP: unrecognized OMF sig: 811f1121 *** ERROR: Symbol file could not be found. Defaulted to export symbols Any ideas on what to try to get WinDbg to load my pdb when reading a 64bit dump?

    Read the article

  • Windbg + IDA: calculate an address in a module

    - by Benjamin
    Hi all, I'm debugging remotely a windows XP machine. One of my drivers is loaded at address 0xb2c4c000 up to 0xb2cb9680. Now when I open my driver in IDA, the offset I want to set a breakpoint on is at 00017619. How can I effectively match my IDA address into windbg? I've tried the obvious which is to sum 0xb2c4c000 + 00017619 = 0xB2C635F7 and disassemble that address using the 'u' command in windbg. But the results did not match the assembly in IDA. On the side question: is there a way to cancel a command that is running in windbg? Several times I've ran commands that took ages to process, I would like to be able to cancel them if needed. So I can keep working. Thanks for your time.

    Read the article

  • WinDbg Problem with ntoskrnl

    - by Wilf
    I've got a similar problem to "BSOD - Unable to verify timestamp for ntoskrnl.exe", in that I can't seem to get the correct symbols to read ntoskrnl. I've followed the advice given by BK1E, but still can't get a result. Text from debug below: Loading Dump File [C:\Users\XXXX\AppData\Local\Temp\WER9D78.tmp\Mini030610-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\Windows\Symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Personal Machine Name: Kernel base = 0xfffff800`01e59000 PsLoadedModuleList = 0xfffff800`0201ddd0 Debug session time: Sat Mar 6 14:08:20.516 2010 (UTC + 0:00) System Uptime: 0 days 0:42:01.723 Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Loading Kernel Symbols ............................................................... ................................................................ ......................... Loading User Symbols Loading unloaded module list .... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {11, c, 0, fffff80001ec9489} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. How do I fix this issue? OS is Windows Vista x64 SP2.

    Read the article

  • Manually setting breakpoints in WinDBG

    - by chris
    I am trying to examine the assembly for an executable using WinDBG, but I am having a hard time getting to it. I want to set a breakpoint at the first instruction in my program, but when I try to do that manually (using the address of the module), WinDBG tells me that it is "unable to insert breakpoint" at that location due to an "Invalid access to memory location." I notice that when I create a breakpoint through the source code GUI, the address is not the same as the first part of my module (In my example: "Win32FileOpen", a simple program I wrote.) Is there a header of some sort that requires adding an offset to the address of my module? In another question, I saw the suggestion: "I would attempt to calculate the breakpoint address as: Module start + code start + code offset" but was unsure where to obtain those values. Can somebody please elaborate on this? The reason I don't just use the source GUI is that I want to be able to do this with a program that I may not have the source/symbols for. If there is an easier way to immediately start working with the executable I open, please let me know. (e.g. Opening an .exe Olly immediately shows me the assembly for that .exe, searching for referenced strings gives me results from that module, etc. WinDBG seems to start me off in ntdll.dll, which is not usually useful for me.) 0:000> lm start end module name 00000000`00130000 00000000`0014b000 Win32FileOpen C (private pdb symbols) C:\cfinley\code\Win32FileOpen\Debug\Win32FileOpen.pdb 00000000`73bd0000 00000000`73c2c000 wow64win (deferred) 00000000`73c30000 00000000`73c6f000 wow64 (deferred) 00000000`74fe0000 00000000`74fe8000 wow64cpu (deferred) 00000000`77750000 00000000`778f9000 ntdll (pdb symbols) c:\symbols\mssymbols\ntdll.pdb\15EB43E23B12409C84E3CC7635BAF5A32\ntdll.pdb 00000000`77930000 00000000`77ab0000 ntdll32 (deferred) 0:000> bu 00000000`00130000 0:000> bl 0 e x86 00000000`001413a0 0001 (0001) 0:**** Win32FileOpen!main <-- One that is generated via GUI 1 e x86 00000000`00130000 0001 (0001) 0:**** Win32FileOpen!__ImageBase <-- One I tried to set manually 0:000> g Unable to insert breakpoint 1 at 00000000`00130000, Win32 error 0n998 "Invalid access to memory location." bp1 at 00000000`00130000 failed WaitForEvent failed ntdll!LdrpDoDebuggerBreak+0x31: 00000000`777fcb61 eb00 jmp ntdll!LdrpDoDebuggerBreak+0x33 (00000000`777fcb63)

    Read the article

  • windbg dv cmd fail - Private symbols (symbols.pri) are required for locals

    - by leif
    i have a C++ application compiled with VS 2008 with pdb file enabled. After i tried to use dv command to display local vars, it shows the following message: Unable to enumerate locals, HRESULT0x80004005 Private symbols (symbols.pri) are required for locals. Type ".hh dbgerr005" for details. Note that: i've run the "dv" command on the correct frame which has the symbol file. i can use "dt" command successfully. i've included the symbol path and the pdb file has been loaded successfully as following: start end module name 00400000 0043f000 helloworld (private pdb symbols) c:\test... Does anyone know the cause? Is there any configuration i missed to enable local var watch? Or VS 2008 pdb is not supported by windbg (i'm using the latest windbg version)?

    Read the article

  • windbg and symbols

    - by CaseyJones
    When I set a breakpoint on one of the methods that appears on top of the stack (!CLRStack), I get lots of these messages for every DLL that the debuggee is referencing including the .NET Framework ones. ERROR: Module load completed but symbols could not be loaded Further digging into this shows that windbg is not loading every .pdb file that I make available in the symbols path. I've double-checked my symbol's path and it looks OK, but the following commands clearly show that not all PDBs are loaded correctly! 0:000 !sym noisy noisy mode - symbol prompts on 0:000 .reload Reloading current modules ................................................................ DBGHELP: ntdll - public symbols c:\symbols\ntdll.pdb\6992F4DAF4B144068D78669D6CB5D2072\ntdll.pdb .. 0:000 .sympath Symbol search path is: SRV*c:\symbols*C:\xc Expanded Symbol search path is: srv*c:\symbols*c:\xc I've c:\symbols being used for the cache and c:\xc being used for the .NET app PDBs that WinDBG seems unable to find. Any idea how I can use to help further troubleshoot this? Thanks

    Read the article

  • Windbg pseudoregister expansion

    - by Giuseppe Guerrini
    Hi, I am trying to automate a device driver's debug session in Windows XP with Windbg. My device has an "index" register and a "data" register, both memory mapped. The index register must be filled with the internal register's index, and the value can be read from the data register. So, the followind Windbg command prints correctly the value of the internel register 0x4C: !ed [uc] 0xfa000000 0x4c; !dd [uc] 0xfa000004 L1 Now I would like to dump a range of internal registers, but it seems that the alias expansion doesn't work as expected in the !ed command. I am trying this cycle: .for (r $t0=0; @$t0<0x100; r $t0=@$t0+1) { !ed [uc] 0xfa000000 @$t0; !dd [uc] 0xfa000004 L1 } but it seems that the !ed command is ignored, as if @$t0 was expanded in an empty string. Tried "$t0", "@$t0", "${t0}" and "@${t0}", but without success. What am I doing wrong? Thank you in advance

    Read the article

  • How to break WinDbg in an anonymous method?

    - by Richard Berg
    Title kinda says it all. The usual SOS command !bpmd doesn't do a lot of good without a name. Some ideas I had: dump every method, then use !bpmd -md when you find the corresponding MethodDesc not practical in real world usage, from what I can tell. Even if I wrote a macro to limit the dump to anonymous types/methods, there's no obvious way to tell them apart. use Reflector to dump the MSIL name doesn't help when dealing with dynamic assemblies and/or Reflection.Emit. Visual Studio's inability to read local vars inside such scenarios is the whole reason I turned to Windbg in the first place... set the breakpoint in VS, wait for it to hit, then change to Windbg using the noninvasive trick attempting to detach from VS causes it to hang (along with the app). I think this is due to the fact that the managed debugger is a "soft" debugger via thread injection instead of a standard "hard" debugger. Or maybe it's just a VS bug specific to Silverlight (would hardly be the first I've encountered). set a breakpoint on some other location known to call into the anonymous method, then single-step your way in my backup plan, though I'd rather not resort to it if this Q&A reveals a better way

    Read the article

  • Use Windbg find argumet passed to a COM+ method

    - by G33kKahuna
    Generated a debug diagnostic dump file for a COM+ application. Upon analysis look like threads deadlocks at line OLE32!SwitchSTA. My symbol path is pointing to msdl.microsoft.com/download/symbols. Is there way to know what arguments were passed to this method? In general, how does one use Windbg to find the input argument value to the method call? thanks in advance

    Read the article

  • Postmortem debugging with WinDBG.

    - by Drazar
    I have an WCF-service running on an server, and occasionally(1-2 times every month) it throws an COMException with the informative message ”Unknown error (0x8005008)”. When i googled for this particular error I only got threads about problems when creating virtual directories in IIS. And the source code hasn’t anything with making a virtual directory in IIS. DirectoryServiceLib.LdapProvider.Directory - CreatePost - Could not create employee for 195001010000,000000000000: System.Runtime.InteropServices.COMException (0x80005008): Unknown error (0x80005008) at System.DirectoryServices.PropertyValueCollection.PopulateList I've taken a memorydump when I catch the Exception for further analysis in WinDBG. After switching to the right thread I executed the !CLRStack command: 000000001b8ab6d8 000000007708671a [NDirectMethodFrameStandalone: 000000001b8ab6d8] Common.MemoryDump.MiniDumpWriteDump(IntPtr, Int32, IntPtr, MINIDUMP_TYPE, IntPtr, IntPtr, IntPtr) 000000001b8ab680 000007ff002808d8 DomainBoundILStubClass.IL_STUB_PInvoke(IntPtr, Int32, IntPtr, MINIDUMP_TYPE, IntPtr, IntPtr, IntPtr) 000000001b8ab780 000007ff00280812 Common.MemoryDump.CreateMiniDump(System.String) 000000001b8ab7e0 000007ff0027b218 DirectoryServiceLib.LdapProvider.Directory.CreatePost(System.String, DirectoryServiceLib.Model.Post, DirectoryServiceLib.Model.Presumptions, Services.Common.SourceEnum, System.String) 000000001b8ad6d8 000007fef8816869 [HelperMethodFrame: 000000001b8ad6d8] 000000001b8ad820 000007feec2b6c6f System.DirectoryServices.PropertyValueCollection.PopulateList() 000000001b8ad860 000007feec225f0f System.DirectoryServices.PropertyValueCollection..ctor(System.DirectoryServices.DirectoryEntry, System.String) 000000001b8ad8a0 000007feec22d023 System.DirectoryServices.PropertyCollection.get_Item(System.String) 000000001b8ad8f0 000007ff00274d34 Common.DirectoryEntryExtension.GetStringAttribute(System.String) 000000001b8ad940 000007ff0027f507 DirectoryServiceLib.LdapProvider.DirectoryPost.Copy(DirectoryServiceLib.LdapProvider.DirectoryPost) 000000001b8ad980 000007ff0027a7cf DirectoryServiceLib.LdapProvider.Directory.CreatePost(System.String, DirectoryServiceLib.Model.Post, DirectoryServiceLib.Model.Presumptions, Services.Common.SourceEnum, System.String) 000000001b8adbe0 000007ff00279532 DirectoryServiceLib.WCFDirectory.CreatePost(System.String, DirectoryServiceLib.Model.Post, DirectoryServiceLib.Model.Presumptions, Services.Common.SourceEnum, System.String) 000000001b8adc60 000007ff001f47bd DynamicClass.SyncInvokeCreatePost(System.Object, System.Object[], System.Object[]) My conclusion is that it fails when the code is calling System.DirectoryServices.PropertyCollection.get_Item(System.String). So after issuing an !CLRStack -a I get this result: 000000001b8ad8a0 000007feec22d023 System.DirectoryServices.PropertyCollection.get_Item(System.String) PARAMETERS: this = <no data> propertyName = <no data> LOCALS: <CLR reg> = 0x0000000001dcef78 <no data> My very first question is why does it display no data on the propertyname? I am kinda new on Windbg. However I executed an dumpobject on = 0x0000000001dcef78: 0:013> !do 0x0000000001dcef78 Name: System.String MethodTable: 000007fef66d6960 EEClass: 000007fef625eec8 Size: 74(0x4a) bytes File: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll String: personalprescriptioncode Fields: MT Field Offset Type VT Attr Value Name 000007fef66dc848 40000ed 8 System.Int32 1 instance 24 m_stringLength 000007fef66db388 40000ee c System.Char 1 instance 70 m_firstChar 000007fef66d6960 40000ef 10 System.String 0 shared static Empty >> Domain:Value 0000000000174e10:00000000019d1420 000000001a886f50:00000000019d1420 << So when the source code wants to fetch the personalprescriptioncode from Active Directory(what is used for persistence layer) it fails. Looking back at the stack it is when issuing the Copy method. DirectoryServiceLib.LdapProvider.DirectoryPost.Copy(DirectoryServiceLib.LdapProvider.DirectoryPost) So looking in the sourcecode: DirectoryPost postInLimbo = DirectoryPostFactory.Instance().GetDirectoryPost(LdapConfigReader.Instance().GetConfigValue("LimboDN"), idGenPerson.ID.UserId); if (postInLimbo != null) newPost.Copy(postInLimbo); This code is looking for another post in OU=limbo with the same UserId and if it finds one it copies the attributes to the new post. In this case it does and it fails with personalprescriptioncode. I've looked in Active Directory under OU=Limbo and the post exist there with the attribute personalprescriptioncode=31243. Question 1: Why does it display no data for some of the PARAMETERS and LOCALS? Is it the GC who has cleaned up before the memorydump had been created. Question 2: Is there anymore i can do to get to the solution to this problem?

    Read the article

  • WinDbg .for loop

    - by Scott
    I am having trouble getting the WinDbg .for command to work. I would like to dump an array of c++ structs. ?? gpTranData->mpApplCodes[0] works for a single entry but I would like to loop through n of these. .for ($t0=0;$t0<(gpTranData->miApplCodeCount);$t0++){ ?? &gpTranData->mpApplCodes[$t0] } sound logical to me but I get Numeric expression missing from '>miApplCodeCount);$t0++){ ?? &gpTranData->m_pApplCodes[$t0] }' Any ideas? Scott

    Read the article

  • windbg/cdb hangs when bp hit

    - by aaron
    I have a problem where cdb or windbg hangs frequently, but not all the time, when I'm debugging with it and I attach to a specific application on my machine. I found this article: http://www.nynaeve.net/?p=164 which talks about a symbol loading race condition being the problem, but I can force load the symbols, actually have a breakpoint in-app work, and still have it hang elsewhere. Here is the stack from cdb itself when I attach to it with another debugger: ntdll!NtReadFile kernel32!ReadFile cdb!ReadNonConLine cdb!ConIn cdb!MainLoop cdb!main !analyze reports that APPLICATION_HANG_BusyHang is the problem bucket, and 'ReadNonConLine' is the offending function. as far as the stack goes: ffffffff`fffffffe 00000000`00000000 00000001`3f641498 00000000`0014ea50 : kernel32!ReadFile+0x86 00000000`000002a4 00000000`0014ebb0 00000000`00001000 00000000`00000000 : cdb!ReadNonConLine+0x6d ReadNonConLine has the string "g" at 0014ebb0 passed as a param, which may be part of the command I had at the hanging breakpoint (it was something like bp foo "dt a; g") ReadFile takes a handle as its first parameter. I'm surprised by the value -2, though, that doesn't look valid. Any help is appreciated. Thanks! Aaron

    Read the article

  • can we get the penultimate exception that occurred from an mdmp or hdmp in windbg

    - by Sammy
    Hi, I got a crash dump (both mdmp and hdmp) for my application (written in C++) captured using dr. watson. After analyzing the dumps through windbg, I concluded that the crash had occurred in the catch() itself :) What I need to know is what exception caused the the failure in the first place i.e. I need that penultimate(last but one th) exception that had occurred. I know I could get the same by some other ways, but is there a specific command with which we could get the list of errors\exceptions occurring from the dump file. Thanks. --Samrat Patil

    Read the article

  • Windows debugging - WinDbg

    - by Santhosh77
    Hi, I got the following error while debuggging a process with its core dump. 0:000 !lmi test.exe Loaded Module Info: [test.exe] Module: test Base Address: 00400000 Image Name: test.exe Machine Type: 332 (I386) Time Stamp: 4a3a38ec Thu Jun 18 07:54:04 2009 Size: 27000 CheckSum: 54c30 Characteristics: 10f Debug Data Dirs: Type Size VA Pointer MISC 110, 0, 21000 [Debug data not mapped] FPO 50, 0, 21110 [Debug data not mapped] CODEVIEW 31820, 0, 21160 [Debug data not mapped] - Can't validate symbols, if present. Image Type: FILE - Image read successfully from debugger. test.exe Symbol Type: CV - Symbols loaded successfully from image path. Load Report: cv symbols & lines Does any body know what the error "CODEVIEW 31820, 0, 21160 [Debug data not mapped] - Can't validate symbols, if present." really mean? Is this error meant that i can't read public/private symbols from the executable? If it is not so, why does the WinDbg debugger throws this typr of error? Thanks in advance, Santhosh.

    Read the article

  • Help catching AV with WinDbg and ADPlus 7.0

    - by Stoune
    I want to catch Memory Access Violation in SQL Server Compact Edition like this described at http://debuggingblog.com/wp/2009/02/18/memory-access-violation-in-sql-server-compact-editionce/ The suggested config is: CRASH Quiet MyApp.exe NoDumpOnFirstChance clr;av FullDump gn I download latest Debugging Tools and observe what Microsoft rewrite adplus tool into managed code and change syntax of config File. I rewrite config file like this: <ADPlus Version="2"> <Settings> <RunMode>Crash</RunMode> <Option>Quiet</Option> <Option>NoDumpOnFirst</Option> <Sympath>c:\symbols\</Sympath> <OutputDir>c:\work\output\</OutputDir> <ProcessName>c:\work\app\output\MyApp.exe</ProcessName> </Settings> <Exceptions><!--to get the full dump on clr access violation--> <Exception Code="clr;av"> <Actions1>FullDump</Actions1> <ReturnAction1>gn</ReturnAction1> </Exception> </Exceptions> </ADPlus> And I get error "Couldn't find exception with code: clr;av". If I understand right It didn't load sos extension, but I can't find the right section and syntax that I should use to load it. adplus_old.vbs - for some reasons didn't launch process on Windows 7. WinDBG 6.12.0002.633 X86 ADPlus Engine Version: 7.01.002 02/27/2009 Maybe someone has a working example of config of debugging .NET app with latest adplus.exe?

    Read the article

  • WinDbg remote debugger protocol

    - by devviedev
    I'd like to build a client for dbgsrv.exe. I'd like to know if there's a spec on the protocol that it uses and if there are any (open source?) libraries that are able to communicate with it for a remote debugging session.

    Read the article

  • What does the windbg command "kd" do?

    - by Oskar
    I ran kd by mistake and got some output that inteerested me, a reference to a line of code in my module that I can't see on the call stack of any thread. The lines weren't the beginnning of the method so I don't think the reference is to a function pointer, but possibly the result of an exception being stored in memory??? Of course, that happens to be what I'm looking for... Update: The stack trace of the exception is: 0:000> kb *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child 0174f168 734ea84f 2cb9e950 00000000 2cb9e950 kernel32!LoadTimeZoneInformation+0x2b 0174f1c4 734ead92 00000022 00000001 000685d0 msvbvm60! RUN_INSTMGR::ExecuteInitTerm+0x178 0174f1f8 734ea9ee 00000000 0000002f 2dbc2abc msvbvm60! RUN_INSTMGR::CreateObjInstanceWithParts+0x1e4 0174f278 7350414e 2cb9e96c 00000000 0174f2f0 msvbvm60! RUN_INSTMGR::CreateObjInstance+0x14d 0174f2e4 734fa071 00000000 2cb9e96c 0174f2fc msvbvm60!RcmConstructObjectInstance+0x75 0174f31c 00976ef1 2cb9e950 00591bc0 0174fddc msvbvm60!__vbaNew+0x21 and into our code (create a new Form derived class) the dds output: 0:000> dds esp-0x40 esp+0x100 0174f05c 00000000 0174f060 00000000 0174f064 00000000 0174f068 00000000 0174f06c 00000000 0174f070 00000000 0174f074 00000000 0174f078 00000000 0174f07c 00000000 0174f080 00000000 0174f084 00000000 0174f088 00000000 0174f08c 00000000 0174f090 00000000 0174f094 00000000 0174f098 00000000 0174f09c 007f4f9b ourDll!formDerivedClass::Form_Initialize+0x10b [C:\Buildbox\formDerivedClass.frm @ 1452] etc which seems to indicate that Initialize is being called even though it isn't on the stack trace of either this exception or any of the threads. As suggested, it might all be a mismatch between pdbs and dlls, but it seems a coincidence that we end up in the right classes and methods

    Read the article

  • Is there a cap on the number of modules WinDbg can see?

    - by Bethor
    Does anyone know if there is a cap on the number of DLLs WinDbg can see ? I believe Visual Studio was once capped at 500 but I can't find a source for this claim outside of some second hand accounts at work. I'm trying to debug a hairy scenario and WinDbg's stack trace is incomplete. According to Process Explorer, the module I'm interested in is loaded but it doesn't show up in the output of 'lm' in WinDbg. Suspiciously, said output is exactly 500 modules long, even though I know there are many more than that loaded, leading me to believe WinDbg isn't seeing DLLs beyond the first 500. Can anyone confirm ? Or suggest some other reason why a loaded module might not show up in 'lm' ?

    Read the article

  • In windbg, how do I get a heap header address from !heap -l results?

    - by Kevin
    I am playing around with windbg's !heap command, particular the "-l" switch which detects memory leaks. When -l does detect a leak, I am having problems navigating from its results to a stack trace for the source of the leak. Here is a snippet of the results from !heap -l 0:066 !heap -l Searching the memory for potential unreachable busy blocks. Entry User Heap Segment Size PrevSize Unused Flags 0324b500 0324b508 01580000 03230000 20 60 a busy 0324b520 0324b528 01580000 03230000 20 20 a busy 0324b5c8 0324b5d0 01580000 03230000 20 28 a busy Windbg's documentation for !heap tells me to use dt _DPH_BLOCK_INFORMATION with the header address, followed by dds with the blocks' StackTrace field. But the output for !heap -l doesn't specify a header address! It's only specififying Entry, User, Heap, and Segment. I've racked my brain looking over the other commands but can't figure out how to get the header address from any of these fields. Can someone help?

    Read the article

  • How can I create objects based on dump file memory in a WinDbg extension?

    - by pj4533
    I work on a large application, and frequently use WinDbg to diagnose issues based on a DMP file from a customer. I have written a few small extensions for WinDbg that have proved very useful for pulling bits of information out of DMP files. In my extension code I find myself dereferencing c++ class objects in the same way, over and over, by hand. For example: Address = GetExpression("somemodule!somesymbol"); ReadMemory(Address, &addressOfPtr, sizeof(addressOfPtr), &cb); // get the actual address ReadMemory(addressOfObj, &addressOfObj, sizeof(addressOfObj), &cb); ULONG offset; ULONG addressOfField; GetFieldOffset("somemodule!somesymbolclass", "somefield", &offset); ReadMemory(addressOfObj+offset, &addressOfField, sizeof(addressOfField), &cb); That works well, but as I have written more extensions, with greater functionality (and accessing more complicated objects in our applications DMP files), I have longed for a better solution. I have access to the source of our own application of course, so I figure there should be a way to copy an object out of a DMP file and use that memory to create an actual object in the debugger extension that I can call functions on (by linking in dlls from our application). This would save me the trouble of pulling things out of the DMP by hand. Is this even possible? I tried obvious things like creating a new object in the extension, then overwriting it with a big ReadMemory directly from the DMP file. This seemed to put the data in the right fields, but freaked out when I tried to call a function. I figure I am missing something...maybe c++ pulls some vtable funky-ness that I don't know about? My code looks similar to this: SomeClass* thisClass = SomeClass::New(); ReadMemory(addressOfObj, &(*thisClass), sizeof(*thisClass), &cb);

    Read the article

  • How can I work out what events are being waited for with WinDBG in a kernel debug session

    - by Benj
    I'm a complete WinDbg newbie and I've been trying to debug a WindowsXP problem that a customer has sent me where our software and some third party software prevent windows from logging off. I've reproduced the problem and have verified that only when our software and the customers software are both installed (although not necessarily running at logoff) does the log off problem occur. I've observed that WM_ENDSESSION messages are not reaching the running windows when the user tries to log off and I know that the third party software uses a kernel driver. I've been looking at the processes in WinDbg and I know that csrss.exe would normally send all the windows a WM_ENDSESSION message. When I ran: !process 82356020 6 To look at csrss.exe's stack I can see: WARNING: Frame IP not in any known module. Following frames may be wrong. 00000000 00000000 00000000 00000000 00000000 0x7c90e514 THREAD 8246d998 Cid 0248.02a0 Teb: 7ffd7000 Win32Thread: e1627008 WAIT: (WrUserRequest) UserMode Non-Alertable 8243d9f0 SynchronizationEvent 81fe0390 SynchronizationEvent Not impersonating DeviceMap e1004450 Owning Process 82356020 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 1813 Ticks: 20748 (0:00:05:24.187) Context Switch Count 3 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Start Address 0x75b67cdf Stack Init f80bd000 Current f80bc9c8 Base f80bd000 Limit f80ba000 Call 0 Priority 14 BasePriority 13 PriorityDecrement 0 DecrementCount 0 Kernel stack not resident. ChildEBP RetAddr Args to Child f80bc9e0 80500ce6 00000000 8246d998 804f9af2 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) f80bc9ec 804f9af2 804f986e e1627008 00000000 nt!KiSwapThread+0x46 (FPO: [0,0,0]) f80bca24 bf80a4a3 00000002 82475218 00000001 nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo]) f80bca5c bf88c0a6 00000001 82475218 00000000 win32k!xxxMsgWaitForMultipleObjects+0xb0 (FPO: [Non-Fpo]) f80bcd30 bf87507d bf9ac0a0 00000001 f80bcd54 win32k!xxxDesktopThread+0x339 (FPO: [Non-Fpo]) f80bcd40 bf8010fd bf9ac0a0 f80bcd64 00bcfff4 win32k!xxxCreateSystemThreads+0x6a (FPO: [Non-Fpo]) f80bcd54 8053d648 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23 (FPO: [Non-Fpo]) f80bcd54 7c90e514 00000000 00000022 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f80bcd64) This waitForMultipleObjects looks interesting because I'm wondering if csrss.exe is waiting on some event which isn't arriving to allow the logoff. Can anyone tell me how I might find out what event it's waiting for anything else I might do to further investigate the problem?

    Read the article

  • How to open a logfile in windbg from a script, such that each logfile is named by the timestamp of c

    - by shan23
    Hi,I want to run a windbg script that will accomplish the following: I want to track certain registers the moment an API is hit, without stopping due to timing issues. So , the moment the API is called, I want the script to open a logfile, echo the fact that the api is hit with the details of the parameters, and let it run till it hits the conditional brkpoint I've put at the API end, which simply closes the open logfile. Now , the problem is, I want to do this multiple times, w/o the previous logfile getting overwritten. Ideally, if there is some command which lets me specify that the name of the logfile (.logfile file) by the timestamp of that moment, my problem is solved. Can anyone help?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

1 2 3 4 5  | Next Page >