We have an application that is undergoing performance testing. Today, I decided to take a dump of w3wp & load it in windbg to see what is going on underneath the covers. Imagine my surprise when I ran !threads and saw that there are 640 background threads, almost all of which seem to say the following: OS Thread Id: 0x1c38 (651) Child-...
I need to log some data when some functions are hit, both at the start of execution and and the end of it. While i have no problem with putting breakpoints at the start of the functions(using bu [module]!functionname, I dont know how to put a breakpoint at the end of a function, SUCH THAT i dont need to edit the breakpoint everytime i ad...
I work on a large application, and frequently use WinDbg to diagnose issues based on a DMP file from a customer. I have written a few small extensions for WinDbg that have proved very useful for pulling bits of information out of DMP files. In my extension code I find myself dereferencing c++ class objects in the same way, over and ove...
This is related to my previous question, regarding pulling objects from a dmp file. As I mentioned in the previous question, I can successfully pull object out of the dmp file by creating wrapper 'remote' objects. I have implemented several of these so far, and it seems to be working well. However I have run into a snag. In one cas...
Hello all, let me say first that I'm writing this question after months of trying to find out the root of a crash happening in our application. I'll try to detail as much as possible what I've already found out about it. About the application It runs on Windows XP Professional SP2. It's built with Microsoft Visual C++ 6.0 with Service...
Hi SO people, I'm very surprised this issue hasn't been discussed in-depth: This article tells us how to use windbg to dump a running .Net process strings in memory. I spent much time researching the SecureString class, which uses unmanaged pinned memory blocks, and keeps the data encrypted too. Great stuff. The problem comes in when ...
i have a C++ application compiled with VS 2008 with pdb file enabled. After i tried to use dv command to display local vars, it shows the following message: Unable to enumerate locals, HRESULT0x80004005 Private symbols (symbols.pri) are required for locals. Type ".hh dbgerr005" for details. Note that: i've run the "dv" comm...
Hi all, I'm debugging remotely a windows XP machine. One of my drivers is loaded at address 0xb2c4c000 up to 0xb2cb9680. Now when I open my driver in IDA, the offset I want to set a breakpoint on is at 00017619. How can I effectively match my IDA address into windbg? I've tried the obvious which is to sum 0xb2c4c000 + 00017619 = 0xB2...
I have followed Tess Ferrandez' blog for setting up a custom theme in WinDbg. I have also started launching WinDbg automatically with -c ".cmdtree c:\mycmdtree.txt" This correctly opens my cmdtree file as a commands window, but I can't get it to dock properly. The problem appears to be that 'commands' windows can only be opened after ...
Hi all, I'm running on Mac, have different Windows VMs on Vmware fusion and would like to either find a way to use VirtualKD or an equivalent to be able to remotely debug from one XP VM to another Windows VMs without having to constantly reboot the client VMs. VirtualKD requires to be installed on the machine hosting VMware. Obviously ...
Hi, I am trying to automate a device driver's debug session in Windows XP with Windbg. My device has an "index" register and a "data" register, both memory mapped. The index register must be filled with the internal register's index, and the value can be read from the data register. So, the followind Windbg command prints correctly the v...
I see output like this in my DMP file: Heap entries for Segment00 in Heap 00150000 00150640: 00640 . 00040 [01] - busy (40) 00150680: 00040 . 01808 [01] - busy (1800) 00151e88: 01808 . 00210 [01] - busy (208) 00152098: 00210 . 00228 [00] 001522c0: 00228 . 00030 [01] - busy (22) 001522f0: 00030 . 00018 [01] - busy...
How can I automate the debugging process? I have a WinDbg script with some basic commands which I want to run when a break occurred in the process/application that I attached to WinDbg. How can I know that there is break in WinDbg, and how to launch the script automatically? ...
I am trying to debug a minidump crash dump. How can I get to know the OS so that I may download related Microsoft Symbols? I am using Visual studio and windbg. ...
Hi, I got a crash dump (both mdmp and hdmp) for my application (written in C++) captured using dr. watson. After analyzing the dumps through windbg, I concluded that the crash had occurred in the catch() itself :) What I need to know is what exception caused the the failure in the first place i.e. I need that penultimate(last but one...
Does anyone know how to get ahold of windbg without having to download the entire 620MB WDK ISO? All I can find on the net to download the debugger is this link, which says you have to get the whole WDK: http://www.microsoft.com/whdc/devtools/debugging/default.mspx. ...
I have received a 64bit dump of a 32bit app that was running on Win7 x64. I am able to load it in WinDbg (hint: !wow64exts.sw) running on a 64bit OS. The symbols for most of my dlls are loaded properly. The pdb for one though does not load. The same pdb does load properly for the same dll when reading a 32bit dump on a different syst...
Hi In the book "Rootkit Arsenal" page 84 (Chapter 3) mentions: ..., we can view the contents of the target machine's descriptor registers using the command with the 0x100 mask: kd> rM 0x100 and a paragraph below: Note that the same task can be accomplished by specifying the GDTR components explicitly: kd> r gdtr .... ...
My WPF app seems to be crashing when I flip a media element around quickly. Debugging with WinDbg shows it as crashing with the following stack trace: 0:028:x86> k 20 ChildEBP RetAddr 15aff648 07acb2a9 wmp!CMGSessionHost::GetPDFromTopologySourceNode0+0xb 15aff670 07a080fc wmp!CMGSessionHost::IsWindowsMediaContent+0x8a 15aff688 07acd83...
I trying to track down the cause of an OutOfMemory for a website. This site has ~12,000 .aspx pages and the last time it crashed I captured a memory dump using adplus. After some investigation I found a lot of heap fragmentation, there are around 100MB of Free blocks which can't be assigned. Digging deeper one of the Large Object Heaps...