问题
I am trying to debug a dump file for an application that I wrote.
I added the following symbols paths to WinDbg
I assumed this would download the windows symbols necessary to debug this.
I then run the following cammand in WinDbg "!analyze -v"
This starts analyzing and then fails because of symbols it cannot find.
When I look at C:\MyServerSymbols I see the following
I would have expected to see more than just the kernelbase.dll
The analyze command is complaining that it cannot find the ntdll symbols.
Below is the full output it is giving me.
Does anyone know how to get the symbols it is needing?
0:001> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: $ntdllsym!_CONTEXT ***
*** ***
*************************************************************************
***** OS symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_CONTEXT ***
*** ***
*************************************************************************
DUMP_CLASS: 2
DUMP_QUALIFIER: 400
CONTEXT: (.ecxr)
rax=0000015d205000b8 rbx=0000000000000400 rcx=000000003f800000
rdx=000000004001000a rsi=00000040bb2cc3a0 rdi=00007ff6fd43cbe8
rip=00007ffa9b617788 rsp=00000040bb2cba20 rbp=00007ff6fd490690
r8=00000040bb2cb500 r9=0000015d00000000 r10=0000015d205000b8
r11=0000000000000000 r12=00000000ffffffff r13=0000000000000000
r14=00007ff6fd43cbe8 r15=0000015d362a6b30
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
KERNELBASE+0x17788:
00007ffa`9b617788 488b8c24c0000000 mov rcx,qword ptr [rsp+0C0h] ss:00000040`bb2cbae0=00007feb67d9e224
Resetting default scope
FAULTING_IP:
KERNELBASE+17788
00007ffa`9b617788 488b8c24c0000000 mov rcx,qword ptr [rsp+0C0h]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffa9b617788 (KERNELBASE+0x0000000000017788)
ExceptionCode: 00000001
ExceptionFlags: 00000000
NumberParameters: 0
PROCESS_NAME: ntdll.wrong.symbols.dll
WRONG_SYMBOLS_TIMESTAMP: 5825887f
WRONG_SYMBOLS_SIZE: 1d1000
FAULTING_MODULE: 00007ffa9ef60000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 5825887f
ADDITIONAL_DEBUG_TEXT:
You can run '.symfix; .reload' to try to fix the symbol path and load symbols. ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 0000000000000000 to 0000000000000000
ANALYSIS_SESSION_HOST: L5R5MHC2C16
ANALYSIS_SESSION_TIME: 02-01-2017 10:17:19.0325
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
STACK_TEXT:
00000000`00000000 00000000`00000000 WRONG_SYMBOLS!WRONG_SYMBOLS+0x0
STACK_COMMAND: .ecxr ; kb ; ** Pseudo Context ** ; kb
THREAD_SHA1_HASH_MOD_FUNC: 2a06fe893fc51638e55bcc8ee02bcdf6f10cbc26
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 214d5e958d92c59434e5414a89d1e95c2f82d12a
THREAD_SHA1_HASH_MOD: 79d1e41e8e0e291e73ec18352c568efa4ef4b5ab
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
BUGCHECK_STR: 5825887F
EXCEPTION_CODE: (NTSTATUS) 0x5825887f - <Unable to get error code text>
EXCEPTION_CODE_STR: 5825887F
EXCEPTION_STR: PRIVATE_SYMBOLS
IMAGE_NAME: ntdll.wrong.symbols.dll
MODULE_NAME: ntdll_wrong_symbols
SYMBOL_NAME: ntdll_wrong_symbols!5825887F1D1000
BUCKET_ID: PRIVATE_SYMBOLS_X64_10.0.14393.206_(rs1_release.160915-0644)_TIMESTAMP_161111-085943
DEFAULT_BUCKET_ID: PRIVATE_SYMBOLS_X64_10.0.14393.206_(rs1_release.160915-0644)_TIMESTAMP_161111-085943
PRIMARY_PROBLEM_CLASS: PRIVATE_SYMBOLS
FAILURE_BUCKET_ID: PRIVATE_SYMBOLS_X64_10.0.14393.206_(rs1_release.160915-0644)_TIMESTAMP_161111-085943_5825887F_ntdll.wrong.symbols.dll!5825887F1D1000
FAILURE_EXCEPTION_CODE: 5825887F
FAILURE_IMAGE_NAME: ntdll.wrong.symbols.dll
BUCKET_ID_IMAGE_STR: ntdll.wrong.symbols.dll
FAILURE_MODULE_NAME: ntdll_wrong_symbols
BUCKET_ID_MODULE_STR: ntdll_wrong_symbols
FAILURE_FUNCTION_NAME: 5825887F1D1000
BUCKET_ID_FUNCTION_STR: 5825887F1D1000
BUCKET_ID_OFFSET: 0
BUCKET_ID_MODTIMEDATESTAMP: 0
BUCKET_ID_MODCHECKSUM: 0
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: PRIVATE_SYMBOLS_X64_10.0.14393.206_(rs1_release.160915-0644)_TIMESTAMP_161111-085943
FAILURE_PROBLEM_CLASS: PRIVATE_SYMBOLS_X64_10.0.14393.206_(rs1_release.160915-0644)_TIMESTAMP_161111-085943
FAILURE_SYMBOL_NAME: ntdll.wrong.symbols.dll!5825887F1D1000
TARGET_TIME: 2017-01-30T03:25:43.000Z
OSBUILD: 14393
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 768
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS Personal
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-07-15 22:21:29
BUILDDATESTAMP_STR: 160915-0644
BUILDLAB_STR: rs1_release
BUILDOSVER_STR: 10.0.14393.206
ANALYSIS_SESSION_ELAPSED_TIME: f73
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:private_symbols_x64_10.0.14393.206_(rs1_release.160915-0644)_timestamp_161111-085943_5825887f_ntdll.wrong.symbols.dll!5825887f1d1000
FAILURE_ID_HASH: {018e4f21-5e50-795f-89a0-0abfdc0c2abc}
Followup: MachineOwner
---------
回答1:
Use .symfix and .reload commands before running !analyze -v
回答2:
I don't see any issue with your symbol path and usually that should have worked. However, when I tried the HTTPS version of the Microsoft symbol server, the connection times out today.
The .symfix;.reload (which was mentioned in the output of !analyze and also suggested in another answer) works, because it changes the symbol server to HTTP, which is currently not broken.
来源:https://stackoverflow.com/questions/41983523/windbg-windows-symbols