Windbg

Hello,

I’m new to windows internals and windows debugging, My question is that I’m trying to configure windbg to analyze core or crash dumps, but I keep getting this as I open a crash dump:
Microsoft (R) Windows Debugger Version 6.0.6001.18000
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\Mini020810-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
;srv*c:\windows\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer SingleUserTS
Kernel base = 0x82608000 PsLoadedModuleList = 0x8271fc70
Debug session time: Mon Feb 8 11:17:12.331 2010 (GMT-7)
System Uptime: 0 days 0:22:17.962
Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
Loading Kernel Symbols
…
The call to LoadLibrary(ext) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(exts) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(kext) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(kdexts) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(ext) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(exts) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(kext) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(kdexts) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.

Please, advise.

Thanks in advance.

You have a minidump. Probably you’ll have more luck with a kernel dump
(or even full dump, depends on what you’re doing).
Set up your target machine for a kernel dump.

–pa

wrote in message news:xxxxx@windbg…
> Hello,
>
> I’m new to windows internals and windows debugging, My question is that
> I’m trying to configure windbg to analyze core or crash dumps, but I keep
> getting this as I open a crash dump:
> Microsoft (R) Windows Debugger Version 6.0.6001.18000
> Copyright (c) Microsoft Corporation. All rights reserved.
>
> Loading Dump File [C:\Windows\Minidump\Mini020810-02.dmp]
> Mini Kernel Dump File: Only registers and stack trace are available
>
> Symbol search path is:
> SRVc:\symbolshttp://msdl.microsoft.com/download/symbols
> ;srvc:\windows\Symbolshttp://msdl.microsoft.com/download/symbols
> Executable search path is:
> Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 2
> WARNING: Unable to verify timestamp for ntkrnlpa.exe
> ERROR: Module load completed but symbols could not be loaded for
> ntkrnlpa.exe
> Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86
> compatible
> Product: LanManNt, suite: TerminalServer SingleUserTS
> Kernel base = 0x82608000 PsLoadedModuleList = 0x8271fc70
> Debug session time: Mon Feb 8 11:17:12.331 2010 (GMT-7)
> System Uptime: 0 days 0:22:17.962
> Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 2
> WARNING: Unable to verify timestamp for ntkrnlpa.exe
> ERROR: Module load completed but symbols could not be loaded for
> ntkrnlpa.exe
> Loading Kernel Symbols
> …
> The call to LoadLibrary(ext) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(exts) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(kext) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(kdexts) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(ext) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(exts) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(kext) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(kdexts) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
>
>
>
> Please, advise.
>
> Thanks in advance.
>
>

Thanks for your reply, I created a full dump, but I got something slightly different.

.*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

The call to LoadLibrary(ext) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(exts) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(kext) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(kdexts) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(ext) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(exts) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(kext) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.
The call to LoadLibrary(kdexts) failed, Win32 error 2
“The system cannot find the file specified.”
Please check your debugger configuration and/or network access.

Now it looks like windbg cannot load its extension dlls.
So… "Please check your debugger configuration and/or network access’

–pa

wrote in message news:xxxxx@windbg…
> Thanks for your reply, I created a full dump, but I got something slightly
> different.
>
> .*** ERROR: Symbol file could not be found. Defaulted to export symbols
> for ntdll.dll -
>
> The call to LoadLibrary(ext) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(exts) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(kext) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(kdexts) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(ext) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(exts) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(kext) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
> The call to LoadLibrary(kdexts) failed, Win32 error 2
> “The system cannot find the file specified.”
> Please check your debugger configuration and/or network access.
>
>
>

You might try running ‘depends.exe’ on the extensions that are failing to see what import is the problem. Given that it’s failing to load windbg dist extensions, I would assume that you have something seriously wrong with your windbg installation.

Good luck,

mm

What configuration windbg needs to be present? I can see only the symbol path.

I’m not sure what you’re asking, but let’s see what windbg reports for these:

.sympath
.extpath

mm

kd> .sympath
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
;srv*c:\windows\Symbols*http://msdl.microsoft.com/download/symbols
WARNING: Whitespace at end of path element
kd> .extpath
Extension search path is: C:\Windows\system32\winext;C:\Windows\system32\winext\arcade;C:\Windows\system32\WINXP;C:\Windows\system32\pri;C:\Windows\system32;C:\Windows\system32\winext\arcade;C:\Program Files\Intel\Parallel Studio\Composer\tbb\ia32\vc9\bin;C:\Program Files\Intel\Parallel Studio\Composer\ipp\ia32\bin;C:\Program Files\Intel\Parallel Studio\Composer\lib\ia32;C:\Program Files\CodeGear\RAD Studio\6.0\bin;C:\Users\Public\Documents\RAD Studio\6.0\Bpl;C:\Program Files\Georgia Tech\Swarm-1.2\swarm\lib;C:\Program Files\Georgia Tech\Swarm-1.2\pthreads\lib;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Windows\System32\Windows System Resource Manager\bin;C:\Windows\idmu\common;c:\Program Files\Microsoft SQL Server\90\Tools\binn;C:\Users\Administrator\Desktop\pro\Copy of WIN32 1-8-0\x_stream_client_sdk\bin;C:\Program Files\Microsoft Network Monitor 3;C:\Program Files\QuickTime\QTSystem;C:\Program Files\VMware\Infrastructure\vSphere PowerCLI\Scripts;C:\Program Files\MySQL\MySQL Server 5.1\bin;C:\Program Files\TortoiseSVN\bin;C:\Program Files\Windows Imaging;C:\Windows\System32\inetsrv;C:\Users\Public\Documents\RAD Studio\6.0\Bpl

I’m not really sure what’s going on with your .extpath.

• Did you set the extension path previously?
• Did you install windbg to the windows\system32 directory?

If the later, I’m not sure what to tell you to do. It definitely shouldn’t be installed there, but I would really recommend uninstalling it either, as I could see the uninstaller deleting files like dbghelp.dll in the process.

Otherwise, I guess what I would recommend at this point is that unless you think you need all those directories for some reason you try the following in order:

a. Figure out where windbg is installed. let’s call it ‘’
b. .extpath \winext;\winxp;

See if it works.

If it doesn’t, then at this point, I’d recommend that you reinstall windbg.

Good luck,

mm

Whoops.

This:

If the later, I’m not sure what to tell you to do. It definitely shouldn’t be
installed there, but I would really recommend uninstalling it either,

Should have read:

If the later, I’m not sure what to tell you to do. It definitely shouldn’t be
installed there, but I WOULDN’T really recommend uninstalling it either,

mm

Are you sure that you’re using the debuggers that shipped with the WinDbg distribution instead of the old in-box debuggers (if you’re on Windows XP)?

I’d expect the extpath to include directories under where you installed the debuggers to.

• S

-----Original Message-----
From: xxxxx@hotmail.com
Sent: Monday, March 22, 2010 11:56
To: Kernel Debugging Interest List
Subject: RE:[windbg] Windbg

kd> .sympath
Symbol search path is: SRVc:\symbolshttp://msdl.microsoft.com/download/symbols
;srvc:\windows\Symbolshttp://msdl.microsoft.com/download/symbols
WARNING: Whitespace at end of path element
kd> .extpath
Extension search path is: C:\Windows\system32\winext;C:\Windows\system32\winext\arcade;C:\Windows\system32\WINXP;C:\Windows\system32\pri;C:\Windows\system32;C:\Windows\system32\winext\arcade;C:\Program Files\Intel\Parallel Studio\Composer\tbb\ia32\vc9\bin;C:\Program Files\Intel\Parallel Studio\Composer\ipp\ia32\bin;C:\Program Files\Intel\Parallel Studio\Composer\lib\ia32;C:\Program Files\CodeGear\RAD Studio\6.0\bin;C:\Users\Public\Documents\RAD Studio\6.0\Bpl;C:\Program Files\Georgia Tech\Swarm-1.2\swarm\lib;C:\Program Files\Georgia Tech\Swarm-1.2\pthreads\lib;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Windows\System32\Windows System Resource Manager\bin;C:\Windows\idmu\common;c:\Program Files\Microsoft SQL Server\90\Tools\binn;C:\Users\Administrator\Desktop\pro\Copy of WIN32 1-8-0\x_stream_client_sdk\bin;C:\Program Files\Microsoft Network Monitor 3;C:\Program Files\QuickTime\QTSystem;C:\Program Files\VMware\Infrastructure\vSphere PowerCLI\Scripts;C:\Program Files\MySQL\MySQL Server 5.1\bin;C:\Program Files\TortoiseSVN\bin;C:\Program Files\Windows Imaging;C:\Windows\System32\inetsrv;C:\Users\Public\Documents\RAD Studio\6.0\Bpl

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thank you guys, it’s working like a charm. I reinstalled it, thank you for your help, I’m so excited to learn more and more about it.

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\share2\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols;srv\*c:\windows\Symbols\*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) UP Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
Machine Name:
Kernel base = 0x8183d000 PsLoadedModuleList = 0x8194a930
Debug session time: Sun Mar 21 10:17:29.042 2010 (GMT-7)
System Uptime: 0 days 0:26:23.376
Loading Kernel Symbols
…
…
Loading User Symbols
…
Loading unloaded module list
…
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck E2, {0, 0, 0, 0}

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
Probably caused by : i8042prt.sys ( i8042prt!I8xProcessCrashDump+255 )

Followup: MachineOwner

kd> .reload
Loading Kernel Symbols
…
…
Loading User Symbols
…
Loading unloaded module list
…
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

MANUALLY_INITIATED_CRASH (e2)
The user manually initiated this crash dump.
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************

BUGCHECK_STR: MANUALLY_INITIATED_CRASH

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: explorer.exe

CURRENT_IRQL: 1a

LAST_CONTROL_TRANSFER: from 85dc8c6b to 818f86d9

STACK_TEXT:
8f382aac 85dc8c6b 000000e2 00000000 00000000 nt!KeBugCheckEx+0x1e
8f382adc 85dc9174 00c0ac48 382b3fc6 00000000 i8042prt!I8xProcessCrashDump+0x255
8f382b24 81885641 82a83500 82c0ab90 81964d20 i8042prt!I8042KeyboardInterruptService+0x21e
8f382b24 818a5f60 82a83500 82c0ab90 81964d20 nt!KiInterruptDispatch+0x51
8f382bdc 818a9901 ff401cb0 00000000 00000000 nt!KiDispatchInterrupt
8f382bf8 818a97af 8304b570 8f382c20 00000005 nt!ExpReleaseResourceForThreadLite+0x14a
8f382c3c 8e9a37ce 00000000 8f382c60 8e97ad1b nt!ExReleaseResourceLite+0xf
8f382c48 8e97ad1b 40050434 ff9d4280 00000000 win32k!SURFREF::SURFREF+0x12
8f382c60 8e959c4f 40050434 00000000 0191557e win32k!GreSetBitmapOwner+0x15
8f382c98 8e959dab ff8b64b8 8f382d24 8f382d1c win32k!_SetCursorIconData+0x1f3
8f382d4c 818949aa 00050073 0277e95c 0277e96c win32k!NtUserSetCursorIconData+0x135
8f382d4c 771b9a94 00050073 0277e95c 0277e96c nt!KiFastCallEntry+0x12a
0277e934 76392e9c 76392e84 00050073 0277e95c ntdll!KiFastSystemCallRet
0277e938 76392e84 00050073 0277e95c 0277e96c USER32!NtUserSetCursorIconData+0xc
0277e97c 7639356a 00050073 0277e9b0 00000100 USER32!_SetCursorIconData+0x5d
0277e994 763933e9 0277e9b0 c2a83928 00010000 USER32!CreateIcoCur+0x25
0277ec44 763938c9 70725ca0 000118e1 00000000 USER32!ConvertDIBIcon+0x384
0277ec98 76395727 70725ca0 000118e1 00000001 USER32!CreateIconFromResourceEx+0x87
0277ecd8 75f8c09b 70590002 70725ca0 00100100 USER32!PrivateEnumProc+0x166
0277ecfc 75f5c116 7639577e 70590002 0000000e kernel32!_ResourceCallEnumNameRoutine+0x17
0277ed94 7639427a 70590002 0000000e 7639577e kernel32!EnumResourceNamesExW+0x855
0277f21c 7666465a 0277f278 ffffffe5 00100100 USER32!PrivateExtractIconsW+0x18e
0277f484 766c4065 0277f4d8 ffffffe5 00000040 SHELL32!SHPrivateExtractIconsW+0x21b
0277f6e4 7668467a 0277f784 ffffffe5 00000104 SHELL32!SHDefExtractIconW+0x1d1
0277f720 766bdd9c 0277f784 ffffffe5 0277f778 SHELL32!CExtractIcon::_ExtractW+0xa3
0277f73c 007d3db9 01e3819c 0277f784 ffffffe5 SHELL32!CExtractIconBase::Extract+0x1f
0277f990 007d4346 0015a2cc 00172040 00000040 Explorer!_IconOf+0x10b
0277f9d0 007d41af 0015a2cc 76395a50 0016ffe0 Explorer!SpecialFolderList::_CreateFullListItem+0x91
0277fa0c 007ca20f 76395a50 00161f08 007ca1dd Explorer!SpecialFolderList::EnumItems+0x167
0277fa18 007ca1dd 00161f08 0277fa40 007ca04e Explorer!SFTBarHost::_EnumerateContentsBackground+0xb
0277fa24 007ca04e 00161f08 00175490 00161f08 Explorer!SFTBarHost::CBGEnum::InternalResumeRT+0x11
0277fa40 73abbdbf 00000000 75f60a5b 7fffffff Explorer!CRunnableTask::Run+0xc5
0277fa58 73abc220 0277fa8c 7ffd7000 01e22ad0 BROWSEUI!CShellTask::TT_Run+0x44
0277faa0 73abc376 00163348 7737824d 0277fac0 BROWSEUI!CShellTaskThread::ThreadProc+0x90
0277fab0 7737825b 01e22ad0 00166558 0277fb24 BROWSEUI!CShellTaskThread::s_ThreadProc+0x21
0277fac0 77178a5c 00163348 754354d6 000f8f20 SHLWAPI!ExecuteWorkItemThreadProc+0xe
0277fb24 7719de3f 00163348 00166558 754353a6 ntdll!RtlpTpWorkCallback+0xbf
0277fc54 75f84911 000f8f18 0277fca0 7719e4b6 ntdll!TppWorkerThread+0x545
0277fc60 7719e4b6 000f8f18 75435352 00000000 kernel32!BaseThreadInitThunk+0xe
0277fca0 7719e489 7719dbb0 000f8f18 ffffffff ntdll!__RtlUserThreadStart+0x23
0277fcb8 00000000 7719dbb0 000f8f18 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND: kb

FOLLOWUP_IP:
i8042prt!I8xProcessCrashDump+255
85dc8c6b 83fe01 cmp esi,1

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: i8042prt!I8xProcessCrashDump+255

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: i8042prt

IMAGE_NAME: i8042prt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 47918f5d

FAILURE_BUCKET_ID: MANUALLY_INITIATED_CRASH_i8042prt!I8xProcessCrashDump+255

BUCKET_ID: MANUALLY_INITIATED_CRASH_i8042prt!I8xProcessCrashDump+255

Followup: MachineOwner

Happy to help.

mm