windbg

问题 I am using the DebugDiag to analyze a crash dump on windows. This is the report summary description: In XXXX.dmp the assembly instruction at msvcr120!abort+4a in C:\Windows\System32\msvcr120.dll from Microsoft Corporation has caused an unknown exception (0x40000015) on thread 26 And the call stack is: ntdll!NtWaitForMultipleObjects+a KERNELBASE!WaitForMultipleObjectsEx+e8 kernel32!WaitForMultipleObjectsExImplementation+b3 kernel32!WerpReportFaultInternal+215 kernel32!WerpReportFault+77

问题 My exe-once test program calls CancelIo and it blocks, I'd like to investigate in which function it is blocking, so, when it blocks, I use windbg to break into the machine, remotely, and try to find it out. As marked as yellow in the image, my EXE has two threads, fffffa8013958b60 and fffffa8013aa1060 . I already know that fffffa8013aa1060 is the one calling CancelIo . Then, how do I show current call stack of the thread fffffa8013aa1060 ? 1: kd> !process fffffa8014c25170 2 PROCESS

问题 I tried attaching to a process (which belongs to an antivirus) using windbg. I ran windbg as administrator but I get the following error when I try to attach to the process: Unable to examine process id 6128. Win32 error 0n5 Cannot debug pid 6128, Win32 error 0n5 Access is denied Is there anything that I am overlooking? Thank you for your help 回答1: Even though you're logged on as an administrator, you may need to run windbg as an elevated administrator. Try right clicking the windbg icon and

问题 I tried attaching to a process (which belongs to an antivirus) using windbg. I ran windbg as administrator but I get the following error when I try to attach to the process: Unable to examine process id 6128. Win32 error 0n5 Cannot debug pid 6128, Win32 error 0n5 Access is denied Is there anything that I am overlooking? Thank you for your help 回答1: Even though you're logged on as an administrator, you may need to run windbg as an elevated administrator. Try right clicking the windbg icon and

问题 I have a 32 bit .Net 4.0 application running in a wow64 environment in a 64 bit machine. The application encountered an error and I took a dump with 32 bit taskmanager present in C:\Windows\SysWOW64\taskmgr.exe I am using a 32 bit Windebugger to analyze this dump. I loaded the following dlls. 1).loadby sos CLR 2).load mscordacwks ( from the client machine). But still I am not able to use SOS commands like !clrstack,!threads etc. I get the error: Failed to load data access DLL, 0x80004005 What

问题 I am trying to debug a dump file for an application that I wrote. I added the following symbols paths to WinDbg I assumed this would download the windows symbols necessary to debug this. I then run the following cammand in WinDbg "!analyze -v" This starts analyzing and then fails because of symbols it cannot find. When I look at C:\MyServerSymbols I see the following I would have expected to see more than just the kernelbase.dll The analyze command is complaining that it cannot find the ntdll

问题 Is there a way to switch to user mode of a particular process in a kernel dump while doing postmortem debugging ? I remember doing this while live debugging using the .process command. 回答1: .process also works in kernel dumps. First, you can find your process using !process 0 0 myprocess.exe and then switch to that process using .process <address> where <address> is the hex number after PROCESS . Note that you are still kernel debugging and you have only the physical memory of that process

问题 In WinDbg, I have several options to define a number 0:006> ? 17 Evaluate expression: 23 = 00000017 0:006> ? 0x17 Evaluate expression: 23 = 00000017 0:006> ? 0n23 Evaluate expression: 23 = 00000017 0:006> ? ntdll Evaluate expression: 2004549632 = 777b0000 0:006> ? ntdll+100 Evaluate expression: 2004549888 = 777b0100 0:006> ? ntdll!NtCreateThreadEx Evaluate expression: 2005018944 = 77822940 0:006> ? 0t755 Evaluate expression: 493 = 000001ed 0:006> ? 0y1111 Evaluate expression: 15 = 0000000f I

问题 I'm working on a C++ project on Windows 10, its been noticed that over time the Handles associated with the process increases and continues to grow. Searching online for a reason I'm not sure if this means that the process has a memory leak or if this is normal. When memory is allocated and then freed, would I see the handles increase and decrease? I've been using this as I'm struggling to find what the cause is: https://docs.microsoft.com/en-us/archive/blogs/markrussinovich/pushing-the

问题 Executing command x ShittyProject!* I am getting such output <MSIL:00250014 > ShittyProject!Main (void) <MSIL:00250098 > ShittyProject!.ctor (void) <MSIL:00250037 > ShittyProject!.ctor (void) <MSIL:002500ed > ShittyProject!get_Default (void) <MSIL:002500a1 > ShittyProject!get_ResourceManager (void) <MSIL:002500f8 > ShittyProject!.cctor (void) <MSIL:0025002a > ShittyProject!Foo (void) <MSIL:0025006e > ShittyProject!InitializeComponent (void) <MSIL:00250000 > ShittyProject!InitializeComponent