windbg

Is there a known issue relating to Windows 7 Kernel Symbols?

会有一股神秘感。 提交于 2019-12-17 06:14:26
问题 I have a few Windows 7 machines that I am not able to read their memory dumps. I found something that I suspect may be related, but am not positive: https://twitter.com/aionescu/status/634028737458114560 I also found this: http://support.microsoft.com/kb/2528507 However, the scenario message regarding wow64exts given in the doc is not seen in any of my dumps. I also cannot apply that hotfix at this time to test it. So I'm just looking for some more information or opinions. I'm able to open

Is there a known issue relating to Windows 7 Kernel Symbols?

試著忘記壹切 提交于 2019-12-17 06:14:08
问题 I have a few Windows 7 machines that I am not able to read their memory dumps. I found something that I suspect may be related, but am not positive: https://twitter.com/aionescu/status/634028737458114560 I also found this: http://support.microsoft.com/kb/2528507 However, the scenario message regarding wow64exts given in the doc is not seen in any of my dumps. I also cannot apply that hotfix at this time to test it. So I'm just looking for some more information or opinions. I'm able to open

WinDbg 蓝屏dump分析教程

一个人想着一个人 提交于 2019-12-17 04:11:46
一、WinDbg是什么?它能做什么?   WinDbg是在windows平台下,强大的用户态和内核态调试工具。它能够通过dmp文件轻松的定位到问题根源,可用于分析蓝屏、程序崩溃(IE崩溃)原因,是我们日常工作中必不可少的一个有力工具,学会使用它,将有效提升我们的问题解决效率和准确率。 二、WinDbg下载: http://www.windbg.org/ 三、设置符号表:   符号表是WinDbg关键的“数据库”,如果没有它,WinDbg基本上就是个废物,无法分析出更多问题原因。所以使用WinDbg设置符号表,是必须要走的一步。 1、运行WinDbg软件,然后按【Ctrl+S】弹出符号表设置窗 2、将符号表地址: SRV* C:\Symbols *http://msdl.microsoft.com/download/symbols 粘贴在输入框中,点击确定即可。 注:红色字体为符号表本地存储路径,建议固定路径,可避免符号表重复下载。 四、记录DMP文件 运行输入sysdm.cpl,进“高级——启动和故障恢复设置”,里面这几个蓝屏后生成报告的复选框勾着,这样蓝屏后系统会在minidump里面会生成dmp文件。 如图: 五、学会打开第一个dmp文件!   当你拿到一个dmp文件后,可使用【 Ctrl+D 】快捷键来打开一个dmp文件,或者点击WinDbg界面上的【File=>Open

How to benefit from heap tagging by DLL?

生来就可爱ヽ(ⅴ<●) 提交于 2019-12-14 03:45:29
问题 How do I use and benefit from the GFlags setting Enable heap tagging by DLL? I know how to activate the setting for a process, but I did not find useful information in the output of !heap -t in WinDbg. I was expecting some output like this: 0:000> !heap -t Index Address Allocated by 1: 005c0000 MyDll.dll 2: 006b0000 AnotherDll.dll so that I can identify which heap was created by which DLL and then e.g. identify the source of a memory leak. Is this a misunderstanding of the term "heap tagging

Windbg scripting assigning the result of a command to a variable

北城余情 提交于 2019-12-14 03:26:26
问题 Regularly I need to investigate dumpfiles, always in the same way, and I'd like to automate this. I'm using Windbg as a tool, and I'm thinking of using Windbg scripting. I have done some first attempts with PYKD, but I don't like the overhead that much, so I've opted for the standard Windbg scripting, but this is getting into a nightmare, let me show you what I want to do: 0:001> kb # RetAddr : Args to Child : Call Site 00 00007ffc`26272685 : ffffffff`fffffffe 00007ff7`06e563f0 00007ff7

Demystify Windbd memory usage labels: “Private Working Set” is large while memory is marked as RegionUsageFree

纵然是瞬间 提交于 2019-12-13 19:09:22
问题 After a run, i see that my application takes 3.5Gb in TaskMgr What I see in Windbg is a little bit confusing: 0:022> !address -summary ProcessParametrs 0000000001b7ed70 in range 0000000001b7e000 0000000001b80000 Environment 0000000001c0c970 in range 0000000001c0c000 0000000001c0e000 -------------------- Usage SUMMARY -------------------------- TotSize ( KB) Pct(Tots) Pct(Busy) Usage 1037fe000 ( 4251640) : 00.05% 87.22% : RegionUsageIsVAD 7fed67a5000 (8585059988) : 99.94% 00.00% :

Finding which function allocated a heap based on a memory address within the heap

大憨熊 提交于 2019-12-13 12:09:45
问题 So I know that a memory address (eg: 12208e6c) is within a specific heap.Using windbg, is there a way to determine what the starting address for this heap is and which function was responsible for allocating it? 回答1: !address <address> gives you information about the heap an address is contained in: 0:005> !address 03051234 Usage: Heap Base Address: 03050000 End Address: 0307c000 Region Size: 0002c000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE

DbgView on Vmware Workstation 12 not capturing output

£可爱£侵袭症+ 提交于 2019-12-13 10:48:34
问题 I have a windows 10 x64 Os installed on my VMware Workstation 12. I would like to do driver related development on the VM, so I have Debug mode enabled and Driver Signing disabled. I can load my device driver successfully but none of my calls to DbgPrint are being displayed. I tried to use DbgView with "Capture Kernel" and "Capture global" checked, still nothing gets printed. I did run DbgView as Administrator. I even tried printing in Windbg X64, no luck. Has anyone dealt with this issue?

How can I make windbg force load symbols on reconnect?

て烟熏妆下的殇ゞ 提交于 2019-12-13 08:48:32
问题 This is a goofy one. I've got a problem in a kernel module that only happens once every 50-100 reboots, I have the line in windbg that I want to break on, and I have the test machine rebooting whenever it detects the problem hasn't happened so it can reboot and see if the failure happens next time. The issue is that I want windbg to stop on the breakpoint in the bootup process where I can see the problem happen. But when the test machine reboots, windbg gets disconncted (as the machine is

How to get handle to an event that may cause my application to go in hang state

为君一笑 提交于 2019-12-13 06:52:34
问题 I am doing a dump file analyis for an application hang problem. Here is one interesting line from the stack trace. 0bc2f3e4 75a8bd1e 0bc2f298 0bc2f30c 00000001 ntdll!KiFastSystemCallRet 0bc2f32a 6a393c42 00000001 7ffdf000 00000001 kernel32!WaitForMultipleObjectsEx+0x8e Looking at WaitForMultipleObjectEx description in MSDN, the second parameter is const HANDLE *lpHandles. This make me thing that I should be able to do a !handle 7ffdf000 to figure out which event is it waiting for but when I
订阅 windbg