Crash Dump Analysis and Debugging Portal

Hi,
I'm getting the following warning when I load the mini crashdump:
Unable to load image D:\WINDOWS\assembly
\NativeImages_v2.0.50727_32\ms corlib
\7124a40b9998f7b63c86bd1a2125c e26\mscorlib.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for mscorlib.ni.dll
I think I have correctly configure the symbol server.

• Updated my about page to include Citrix Twitter Support information: http://bit.ly/6dTJiy #
• Analyzing minidumps from Windows 7 #

Memory Dump It

This is a new methodology I’m working upon. The idea came from reading “About the Author” page in a book I got yesterday in my post:

The Nomadic Developer: Surviving and Thriving in the World of Technology Consulting

I post a review here and on Amazon when finished reading. Just a few words now. This is the first career book I’m reading where I find pages in roman numerals useful. The page xiii itself looks like a good template (or an example) for a business-oriented CV summary. Thinking now about updating my CV book (2nd edition?):

Resume and CV: As a Book

With fix-privet,
Dr. DebugLove

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Memory Dump It

• Analyzing VB 6 crash (minidump and log) #
• Weekly C++ brush up: reading C++ Cookbook, C++ in a Nutshell, Beyond the C++ Standard Library #
• Listening to French expressions; reading Film Studies: The Basics and Philosophical Foundations for a Christian Worldview while commuting #
• Memory dump analysis while listening to Vangelis: China and reading The Art of Artificial Evolution #
• Memorianic lunch: RHoP Volume 1, A History of Christianity, A History of God, Main Currents of Marxism, Software Studies, Trotsky, IBPA #
• Memory dump analysis while listening to Mozart: Piano Concertos 5,6,17 and reading Complexity Explained book #
• Got the book in post: The Nomadic Developer #
• Listening to French expressions; reading Theatre Studies: The Basics and Unmaking the West while commuting to the office #

Memory Dump It

After xcopy installing windbg 6.12 on a development machine that has v 6.11,
I've noticed that 6.12 often fails to break into a debuggee over serial
cable,
while 6.11 on exactly same setup breaks quickly and reliably.
After restarting v. 6.12, break in works.
It's pity, but I don't work on win8 beta yet; my targets are old rusty XP

Today we introduce an icon for False Positive Dump pattern:

B/W

Color

With fix-privet,
Dr. DebugLove

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Memory Dump It

Ooops. A pretty big typo.
so I think it's safe to say there are NO symbols in the SDK.
.pat styles [microsoft]
Hello Pablo.
The SDK I was referring to was the Windows SDK. You have told me this is
from live.com so it think it is safe to say there are symbols in the SDK. I
have no information on whether symbols are available for the live.com stuff.

Hello everyone,
Im up to building mini debugger in C# and I already checked out mdbg project
and use NativeDebugWraper project in my mini debugger.
My question is : What is the simplest way to get a call stack when my
debugee is suspended?
I considered already function StackWalk64 from dbghelp.dll but I can not

While reading two balanced books about Trotsky I started to admire the signature “S kommunisticheskim privetom, <name>” that can be translated as “With communist greetings, <name>”. Did they laugh in their red sleeves? When I was at a primary school I loved History (that was long before I saw a computer at Moscow University and I loved Chemistry in a secondary and high schools). In fact, to realize my childhood dream, OpenTask, an iterative and incremental publisher, plans to publish a centennial balanced 2 volume bilingual history of Russian revolutions (the work has began already):

http://www.opentask.com/history-titles

While commuting today I devised a similar greeting to suffix all my future posts except traces:

With fix-privet,
Dr. DebugLove

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Memory Dump It

When the performance is a performative and the performative is a performance we think about performability:

A virtualization is virtualization.

Peter Brook, The Empty Space

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Memory Dump It

Hello Pablo.
The SDK I was referring to was the Windows SDK. You have told me this is
from live.com so it think it is safe to say there are symbols in the SDK. I
have no information on whether symbols are available for the live.com stuff.
I know that there is a contacts.pdb in our internal symbol store. That can

• Weekly statistics class: reading books Freedman’s Statistics, Statistics in a Nutshell and Statistics Hacks #
• Listening to French expressions; reading Theatre Studies: The Basics and The Modern Mind while commuting home to work on WDN, MDAAV4, CDASA #
• Next reading notes on Software Generalist blog: http://bit.ly/9Cs2hW #
• Software trace analysis while listening to Beethoven: Piano Sonatas 10.3-13-14.1-14.2 and reading Musimathics, Volume 1 #
• Memory dump analysis while listening to Bach: Cantatas BWV 46-107-179 and reading Weak Links book #
• Memorianic lunch: Ancient Philosophy, A History of Christianity, Main Currents of Marxism, Software Studies, Trotsky (Service), ACM magazine #
• Memory dump analysis while listening Haydn: Stabat Mater and reading next 10 pages of Windows Internals #
• Listening to French expressions; reading Television Studies: The Basics and Panpsychism in the West while commuting to the office #
• Next reading notes on Software Generalist blog: http://bit.ly/cVa9H3 #
• First review of First Fault Software Problem Solving book: http://bit.ly/c0q4o5 #

Memory Dump It

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Clock cycle counter for measuring CPU activity  (p. 382)

Process Explorer usage to inspect hung threads (p. 383) - useful for coupled processes (http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/) and could be great with simultaneous WinDbg session to inspect wait chains (http://www.dumpanalysis.org/blog/index.php/2009/02/17/wait-chain-patterns/)

Process Explorer shows both thread and WOW64 thread stacks on x64 (p. 384)

Thread stack and context query limitations for protected processes (pp. 384 - 386)

Thread pool mechanism was moved into kernel space in Vista (p. 387)

TpWorkerFactory and I/O completion ports and KQUEUE (pp. 387 - 388) - see also a “brief guide” to I/O completion ports: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/ 

The mystery of ntdll!TppWorkerThread in stack traces (pp. 389 - 390)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Today we introduce an icon for Dynamic Memory Corruption (kernel pool) pattern:

B/W

Color

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Memory Dump It

Hello Pat,
Thank you for your answer.
Contact.dll is inside the Windows Live Contacts (desktop application). I
don't know if the dll is shipped in any SDK, there is an SDK to access
contacts by web but I don't want this.
Is there any way to know if there is an entry of this dll in the symbols
database?

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

W32THREAD (p. 371) - One candidate in _ETHREAD that points to it is Tcb.Win32Thread. One interesting code I found on how to extract window message queues from it: http://www.cc.gatech.edu/~brendan/volatility/dl/threadqueues.py. _W32THREAD structure on x64 W2K8 (we also see that is points to _ETHREAD):

0: kd> dt _W32THREAD
win32k!_W32THREAD
   +0x000 pEThread         : Ptr64 _ETHREAD
   +0x008 RefCount         : Uint4B
   +0x010 ptlW32           : Ptr64 _TL
   +0x018 pgdiDcattr       : Ptr64 Void
   +0x020 pgdiBrushAttr    : Ptr64 Void
   +0x028 pUMPDObjs        : Ptr64 Void
   +0x030 pUMPDHeap        : Ptr64 Void
   +0x038 pUMPDObj         : Ptr64 Void
   +0x040 pProxyPort       : Ptr64 Void
   +0x048 pClientID        : Ptr64 Void
   +0x050 GdiTmpTgoList    : _LIST_ENTRY

!thread output fields (p. 376) - Stack Base and Limit fields can be useful to dump raw stack data via dps command to see execution residue or when reconstructing stack trace, see, for example, this pattern: http://www.dumpanalysis.org/blog/index.php/2009/10/23/crash-dump-analysis-patterns-part-88/

tlist utility (p. 377)

Thread creation calls (pp. 380 - 381) - a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c CreateThread
kernel32!CreateThread (00000000`7731c1c0)
  kernel32!CreateThread+0x28 (00000000`7731c1e8):
    call to kernel32!CreateRemoteThread (00000000`7731c200)

0: kd> uf /c CreateRemoteThread
Flow analysis was incomplete, some code may be missing
kernel32!CreateRemoteThread (00000000`7731c200)
  kernel32!CreateRemoteThread+0x134 (00000000`7731c334):
    call to ntdll!NtCreateThreadEx (00000000`77477790)
  kernel32!CreateRemoteThread+0×166 (00000000`7731c366):
    call to ntdll!RtlAllocateActivationContextStack (00000000`77456900)
  kernel32!CreateRemoteThread+0×1b4 (00000000`7731c3b4):
    call to ntdll!RtlQueryInformationActivationContext (00000000`77456b20)
  kernel32!CreateRemoteThread+0×241 (00000000`7731c441):
    call to ntdll!CsrClientCallServer (00000000`7747a460)
  kernel32!CreateRemoteThread+0×281 (00000000`7731c47d):
    call to ntdll!ZwResumeThread (00000000`77477230)
  kernel32!CreateRemoteThread+0×38b (00000000`7731c4ae):
    call to kernel32!_security_check_cookie (00000000`7732c200)

0: kd> uf /c NtCreateThreadEx
ntdll!NtCreateThreadEx (00000000`77477790)
    no calls found

0: kd> uf NtCreateThreadEx
ntdll!NtCreateThreadEx:
00000000`77477790 4c8bd1          mov     r10,rcx
00000000`77477793 b8a5000000      mov     eax,0A5h
00000000`77477798 0f05            syscall
00000000`7747779a c3              ret

0: kd> uf /c nt!NtCreateThreadEx
nt!NtCreateThreadEx (fffff800`01af60fc)
  nt!NtCreateThreadEx+0x3d (fffff800`01af6139):
    call to nt!memset (fffff800`0187a4d0)
  nt!NtCreateThreadEx+0x5b (fffff800`01af6157):
    call to nt!memset (fffff800`0187a4d0)
  nt!NtCreateThreadEx+0x99 (fffff800`01af6195):
    call to nt!memset (fffff800`0187a4d0)
  nt!NtCreateThreadEx+0xc8 (fffff800`01af61c4):
    call to nt!PspBuildCreateProcessContext (fffff800`01af5204)
  nt!NtCreateThreadEx+0x1e1 (fffff800`01af62dd):
    call to nt!PspCreateThread (fffff800`01af5d40)
  nt!NtCreateThreadEx+0×1f0 (fffff800`01af62ec):
    call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0)

0: kd> uf /c nt!PspCreateThread
nt!PspCreateThread (fffff800`01af5d40)
  nt!PspCreateThread+0x102 (fffff800`01af5e42):
    call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
  nt!PspCreateThread+0x15b (fffff800`01af5e9b):
    call to nt!ObfReferenceObject (fffff800`01883250)
  nt!PspCreateThread+0x22f (fffff800`01af5f6f):
    call to nt!PspAllocateThread (fffff800`01af6338)
  nt!PspCreateThread+0x243 (fffff800`01af5f83):
    call to nt!ObfDereferenceObject (fffff800`0187cde0)
  nt!PspCreateThread+0x2a6 (fffff800`01af5fe6):
    call to nt!PspInsertThread (fffff800`01af4c10)
  nt!PspCreateThread+0x318 (fffff800`01af6058):
    call to nt!ObfDereferenceObject (fffff800`0187cde0)
  nt!PspCreateThread+0x32a (fffff800`01af606a):
    call to nt!_security_check_cookie (fffff800`01895e50)
  nt!PspCreateThread+0x36a (fffff800`01af60aa):
    call to nt!ObfReferenceObject (fffff800`01883250)
  nt!PspCreateThread+0x3a2 (fffff800`01af60e2):
    call to nt!ExfAcquireRundownProtection (fffff800`0184f66c)
  nt! ?? ::NNGAKEGL::`string'+0x2816e (fffff800`01b3628e):
    call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
  nt! ?? ::NNGAKEGL::`string'+0x281ad (fffff800`01b362ca):
    call to nt!ExfReleaseRundownProtection (fffff800`0184f690)
  nt! ?? ::NNGAKEGL::`string'+0x281ce (fffff800`01b362eb):
    call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
  nt! ?? ::NNGAKEGL::`string'+0x281d8 (fffff800`01b362f5):
    call to nt!ObfDereferenceObject (fffff800`0187cde0)
  nt! ?? ::NNGAKEGL::`string'+0x281e7 (fffff800`01b36304):
    call to nt!ExfReleaseRundownProtection (fffff800`0184f690)
  nt! ?? ::NNGAKEGL::`string'+0x281ff (fffff800`01b3631c):
    call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
  nt! ?? ::NNGAKEGL::`string'+0x2821a (fffff800`01b36337):
    call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)

- Dmitry Vostokov @ SoftwareGeneralist.com -

• Listening to French expressions; reading Television Studies: The Basics and History of Western Music while commuting home to work on WDN #
• Memory dump analysis while listening to Kenny G: Faith: A Holiday Album #
• Analysis of memory dump analysis while reading next 10 pages of Windows Internals book #
• Software trace analysis while listening to Mozart: Piano Concertos 2-9-12 #
• Memory dump analysis while listening to Beethoven: Piano Sonatas 7, 10.1, 10.2 and reading Musimathics, Volume 1 #
• Memorianic lunch: Greece and Rome, A History of Christianity, Main Currents of Marxism, Software Studies, Trotsky (Thatcher), IBPA magazine #
• Books in the post: Television Studies: The Basics, Film Studies: The Basics, Theatre Studies: The Basics, The Nature of Order (Book 1) #
• Software trace analysis while listening to Bach: Cantatas BWV 102-7-196 and reading Information and Its Role in Nature book #
• Listening to French expressions; reading Semiotics: The Basics and Images of Organization while commuting to the office #
• Bought the book: The Nomadic Developer: Surviving and Thriving in the World of Technology Consulting #

Memory Dump It

Hello Pipaman.
I don't know what product contacts.dll ships in, but if it is in some
version of Windows, there is a good chance you could find the symbols in the
appropriate SDK symbols package.
.pat styles [microsoft]
Hi,
I want to get symbols of any version of contacts.dll, not only the one
located in my system.

Hello Pipaman.
I don't know what product contacts.dll ships in, but if it is in some
version of Windows, there is a good chance you could find the symbols in the
appropriate SDK symbols package.
.pat styles [microsoft]
Hi,
I want to get symbols of any version of contacts.dll, not only the one
located in my system.

Hi,
I want to get symbols of any version of contacts.dll, not only the one
located in my system.
I tried to find the symbols of the installed version and it is not available
but symmbols of any version of the dll are useful for me.
Is there any way to get which version of the dll has symbols if any?