Episode
Defrag Tools #167 - Debugging User Mode Crash Dumps Redux
In this episode of Defrag Tools, Andrew Richards and Chad Beeder use Debugging Tools for Windows (WinDbg) to determine the root cause of various application crashes which have occurred on Andrew's computer. We use Sysinternals ProcDump to capture the dumps.
While debugging, we take a side trip into configuring colors for Compressed and Encrypted files in Windows Explorer, and use Sysinternals Process Monitor to determine why the debugger was getting an Access Denied when loading the PDE Debugger Extension.
We did a similar investigation in these two episodes:
- Defrag Tools #135 - Debugging User Mode Crash Dumps Part 1
- Defrag Tools #136 - Debugging User Mode Crash Dumps Part 2
We cover how to install the Debugging Tools for Windows in this episode:
Get the Sysinternals tools from http://www.sysinternals.com. We use:
Get the PDE debugger extension from the Defrag Tools OneDrive
Get your Symbol Path to the Microsoft Public Symbol Server:
- Via Environment Variable
setx /m _NT_SYMBOL_PATH SRV*C:\My\Sym*https://msdl.microsoft.com/download/symbols - In the Debugger
.sympath SRV*C:\My\Sym*https://msdl.microsoft.com/download/symbols
To collect dumps of crashes on your own machine, install ProcDump as the Postmortem (AeDebugger) debugger:
md c:\dumps
procdump.exe -ma -i c:\dumps
On any dump (user or kernel), you can run automated analysis to view the issue:
!analyze -v
Debugging Cheat Sheet
- c0000005 is an Access Violation - use .ecxr & k
- c000027b is a Stowed Exception (Store Apps) - use !pde.dse
- e0434352 is a CLR Exception - use !sos.pe
- e0697282 is a C++ Exception - use .ecxr & k
- 80000003 is a Breakpoint - use !analyze -v
- When typing a decimal number, prefix it "0n"
- When typing a hexadecimal number, prefix it "0x" (the default prefix)
Common Debugger Commands
.exr -1
- View the Exception Code and the Exception Parameters
- Number looking like C0xxxxxx and 80xxxxxx are HRESULTs (Error Codes)
- Number looking like 7FFFxxxxxxxx are usually code (assembler) addresses
!address
- Display the address information - Commited/Reserved/Free, Image/Mapped/Private
- Used to determine if a number is code or data.
ln
- List Nearest address
- Displays the symbol at or near the address
- Used to determine if a number is code or data.
.ecxr
- Change the debugging context to the point of the exception (rather than being at the Windows Error Reporting context)
r
- View the registers at the current context. (.ecxr produces the same output)
k
- View the call stack
lmvm
- View loaded module verbosely with a mask
- View a module's details, including folder, timestamp, description, copyright, product/file version
| (Vertical Bar or Pipe character)
- View the executable's path (e.g. c:\windows\notepad.exe)
!ext.error
- Get the description of an Error Code. Best at describing System Error Codes.
!pde.err
- Get the description of an Error Code. Good at describing HRESULTs (80xxxxxx and C0xxxxxx)
!pde.dpx
- Scrape the current thread for evidence (symbols, structures, strings, etc.)
.formats
- Displays the number in various formats.
- Easy way of working out if a number is actually ASCII text, or a date/time
!sos.pe
- Display a CLR Exception.
- If there is an Inner Exception, click on the link to view it.
.cordll -u & .cordll -l
- If SOS isn't loaded, try to do an unload and load of the CLR support.
!peb
- View the Process Environment Block (Modules, Command Line, Environment Variables, etc.)
!teb
- View the current Thread's Environment Block (Stack Range, Last Error Code, Last Status Code, etc.)
!gle
- Get Last Error
- Display the Last Error Code and Last Status Code of the current thread
.cls
- Clear the screen.
.reload
- Force a reload (download) of symbols for the modules on the current stack.
.reload /f
- Force a full reload (download) of symbols for the modules on the current stack.
Store Applications
To view the currently installed Store Applications and their version use:
Registry Editor (regedit.exe)
- HKEY_CURRENT_USER\SOFTWARE\Classes\ActivatableClasses\Package
PowerShell
In this episode of Defrag Tools, Andrew Richards and Chad Beeder use Debugging Tools for Windows (WinDbg) to determine the root cause of various application crashes which have occurred on Andrew's computer. We use Sysinternals ProcDump to capture the dumps.
While debugging, we take a side trip into configuring colors for Compressed and Encrypted files in Windows Explorer, and use Sysinternals Process Monitor to determine why the debugger was getting an Access Denied when loading the PDE Debugger Extension.
We did a similar investigation in these two episodes:
- Defrag Tools #135 - Debugging User Mode Crash Dumps Part 1
- Defrag Tools #136 - Debugging User Mode Crash Dumps Part 2
We cover how to install the Debugging Tools for Windows in this episode:
Get the Sysinternals tools from http://www.sysinternals.com. We use:
Get the PDE debugger extension from the Defrag Tools OneDrive
Get your Symbol Path to the Microsoft Public Symbol Server:
- Via Environment Variable
setx /m _NT_SYMBOL_PATH SRV*C:\My\Sym*https://msdl.microsoft.com/download/symbols - In the Debugger
.sympath SRV*C:\My\Sym*https://msdl.microsoft.com/download/symbols
To collect dumps of crashes on your own machine, install ProcDump as the Postmortem (AeDebugger) debugger:
md c:\dumps
procdump.exe -ma -i c:\dumps
On any dump (user or kernel), you can run automated analysis to view the issue:
!analyze -v
Debugging Cheat Sheet
- c0000005 is an Access Violation - use .ecxr & k
- c000027b is a Stowed Exception (Store Apps) - use !pde.dse
- e0434352 is a CLR Exception - use !sos.pe
- e0697282 is a C++ Exception - use .ecxr & k
- 80000003 is a Breakpoint - use !analyze -v
- When typing a decimal number, prefix it "0n"
- When typing a hexadecimal number, prefix it "0x" (the default prefix)
Common Debugger Commands
.exr -1
- View the Exception Code and the Exception Parameters
- Number looking like C0xxxxxx and 80xxxxxx are HRESULTs (Error Codes)
- Number looking like 7FFFxxxxxxxx are usually code (assembler) addresses
!address
- Display the address information - Commited/Reserved/Free, Image/Mapped/Private
- Used to determine if a number is code or data.
ln
- List Nearest address
- Displays the symbol at or near the address
- Used to determine if a number is code or data.
.ecxr
- Change the debugging context to the point of the exception (rather than being at the Windows Error Reporting context)
r
- View the registers at the current context. (.ecxr produces the same output)
k
- View the call stack
lmvm
- View loaded module verbosely with a mask
- View a module's details, including folder, timestamp, description, copyright, product/file version
| (Vertical Bar or Pipe character)
- View the executable's path (e.g. c:\windows\notepad.exe)
!ext.error
- Get the description of an Error Code. Best at describing System Error Codes.
!pde.err
- Get the description of an Error Code. Good at describing HRESULTs (80xxxxxx and C0xxxxxx)
!pde.dpx
- Scrape the current thread for evidence (symbols, structures, strings, etc.)
.formats
- Displays the number in various formats.
- Easy way of working out if a number is actually ASCII text, or a date/time
!sos.pe
- Display a CLR Exception.
- If there is an Inner Exception, click on the link to view it.
.cordll -u & .cordll -l
- If SOS isn't loaded, try to do an unload and load of the CLR support.
!peb
- View the Process Environment Block (Modules, Command Line, Environment Variables, etc.)
!teb
- View the current Thread's Environment Block (Stack Range, Last Error Code, Last Status Code, etc.)
!gle
- Get Last Error
- Display the Last Error Code and Last Status Code of the current thread
.cls
- Clear the screen.
.reload
- Force a reload (download) of symbols for the modules on the current stack.
.reload /f
- Force a full reload (download) of symbols for the modules on the current stack.
Store Applications
To view the currently installed Store Applications and their version use:
Registry Editor (regedit.exe)
- HKEY_CURRENT_USER\SOFTWARE\Classes\ActivatableClasses\Package
PowerShell
Have feedback? Submit an issue here.