Channel 9

Channel 9

Channel 9 is a community. We bring forward the people behind our products and connect them with those who use them. We think there is a great future in software and we're excited about it. We want the community to participate in the ongoing conversation. This is the heart of Channel 9. We talk about our work but listen to the customer.

https://channel9.msdn.com/

Technology
subscribe
share






claim!
report

Defrag Tools #167 - Debugging User Mode Crash Dumps Redux | Defrag Tools

In this episode of Defrag Tools, Andrew Richards and Chad Beeder use Debugging Tools for Windows (WinDbg) to determine the root cause of various application crashes which have occurred on Andrew's computer. We use Sysinternals ProcDump to capture the dumps.

While debugging, we take a side trip into configuring colors for Compressed and Encrypted files in Windows Explorer, and use Sysinternals Process Monitor to determine why the debugger was getting an Access Denied when loading the PDE Debugger Extension.

We did a similar investigation in these two episodes:

  • Defrag Tools #135 - Debugging User Mode Crash Dumps Part 1
  • Defrag Tools #136 - Debugging User Mode Crash Dumps Part 2

We cover how to install the Debugging Tools for Windows in this episode:

  • Defrag Tools #131 - Windows 10 SDK

Get the Sysinternals tools from http://www.sysinternals.com. We use:

  • Sysinternals ProcDump
  • Sysinternals Process Monitor

Get the PDE debugger extension from the Defrag Tools OneDrive

Get your Symbol Path to the Microsoft Public Symbol Server:

  • Via Environment Variable
    setx /m _NT_SYMBOL_PATH SRV*C:\My\Sym*http://msdl.microsoft.com/download/symbols
  • In the Debugger
    .sympath SRV*C:\My\Sym*http://msdl.microsoft.com/download/symbols

To collect dumps of crashes on your own machine, install ProcDump as the Postmortem (AeDebugger) debugger:

    md c:\dumps
    procdump.exe -ma -i c:\dumps 

On any dump (user or kernel), you can run automated analysis to view the issue:

    !analyze -v

Debugging Cheat Sheet

  • c0000005 is an Access Violation - use .ecxr & k
  • c000027b is a Stowed Exception (Store Apps) - use !pde.dse
  • e0434352 is a CLR Exception - use !sos.pe
  • e0697282 is a C++ Exception - use .ecxr & k
  • 80000003 is a Breakpoint - use !analyze -v
  • When typing a decimal number, prefix it "0n"
  • When typing a hexadecimal number, prefix it "0x" (the default prefix)

Common Debugger Commands

.exr -1

  • View the Exception Code and the Exception Parameters
  • Number looking like C0xxxxxx and 80xxxxxx are HRESULTs (Error Codes)
  • Number looking like 7FFFxxxxxxxx are usually code (assembler) addresses

!address <number>

  • Display the address information - Commited/Reserved/Free, Image/Mapped/Private
  • Used to determine if a number is code or data.

ln <address>

  • List Nearest address
  • Displays the symbol at or near the address
  • Used to determine if a number is code or data.

.ecxr

  • Change the debugging context to the point of the exception (rather than being at the Windows Error Reporting context)

r

  • View the registers at the current context. (.ecxr produces the same output)

k

  • View the call stack

lmvm <module>

  • View loaded module verbosely with a mask
  • View a module's details, including folder, timestamp, description, copyright, product/file version

|  (Vertical Bar or Pipe character)

  • View the executable's path (e.g. c:\windows\notepad.exe)

!ext.error

  • Get the description of an Error Code. Best at describing System Error Codes.

!pde.err

  • Get the description of an Error Code. Good at describing HRESULTs (80xxxxxx and C0xxxxxx)

!pde.dpx

  • Scrape the current thread for evidence (symbols, structures, strings, etc.)

.formats <number>

  • Displays the number in various formats.
  • Easy way of working out if a number is actually ASCII text, or a date/time

!sos.pe

  • Display a CLR Exception.
  • If there is an Inner Exception, click on the link to view it.

.cordll -u & .cordll -l

  • If SOS isn't loaded, try to do an unload and load of the CLR support.

!peb

  • View the Process Environment Block (Modules, Command Line, Environment Variables, etc.)

!teb

  • View the current Thread's Environment Block (Stack Range, Last Error Code, Last Status Code, etc.)

!gle

  • Get Last Error
  • Display the Last Error Code and Last Status Code of the current thread

.cls

  • Clear the screen.

.reload

  • Force a reload (download) of symbols for the modules on the current stack.

.reload /f

  • Force a full reload (download) of symbols for the modules on the current stack.

 

Store Applications

To view the currently installed Store Applications and their version use:

Registry Editor (regedit.exe)

  • HKEY_CURRENT_USER\SOFTWARE\Classes\ActivatableClasses\Package

PowerShell

  • Get-AppxPackage

 

fyyd: Podcast Search Engine
share








 August 29, 2016  56m