Windows - using the debugger

**Paul Adams** · 16-09-2007, 11:15 AM

Debugging Windows 101

Foreword
This is a brief tutorial on initial analysis of "crash dumps" which the enthusiast may find of interest if they encounter situations with hanging/crashing apps, bluescreens or a hung OS.

It is NOT intended to be an in-depth complete solution to every problem scenario, but a "point in the right direction" to maybe give some clues as to what might be the cause, for those that want to know more.

The following procedures are "one-off" actions which can prepare the system to create data that is useful to help pinpoint a problem - they don't "fix" anything in themselves.

To make any sense of the dumps, or in some cases to even create them, the Debugging Tools for Windows needs to be downloaded and installed first:
http://www.microsoft.com/whdc/devtoo...g/default.mspx

Common Procedures

1. Configure page file settings to ensure a kernel memory dump can be produced

- Right-click (My) Computer, click Properties
- (Vista only) Click 'Advanced System Settings' and OK the UAC prompt
- Select the 'Advanced' tab and click the 'Settings' button in the 'Performance' section
- Select the 'Advanced' tab and click the 'Change' button in the 'Virtual Memory' section

Recommended option is to select 'Automatically manage paging file size for all drives'

If you do manually set the size and location of the page file, ensure that the size of page file on the system volume (where Windows resides) is "big enough to hold a copy of all kernel memory" (this is why it's easiest to let Windows determine what it needs, this is something that can change from system to system - and also why it's not necessarily a good idea to run without a page file, or with a tiny one on a separate volume)

----

2. Configure memory dump option to request a kernel memory dump on a bugcheck

- Right-click (My) Computer, click Properties
- (Vista only) Click 'Advanced System Settings' and OK the UAC prompt
- Select the 'Advanced' tab and click the 'Settings' button in the 'Startup and Recovery' section
- From the 'Write debugging information' drop-down list, select 'Kernel memory dump'
- Check the path for the dump file is "%SystemRoot%\MEMORY.DMP"

NOTE:
In order to produce a valid dump of kernel memory when a bugcheck occurs, the following must be true:
> the page file on the system drive (where Windows resides) must be large enough to hold it
> there must be enough free space on the system drive to make a copy of the dump file from the page file to %SystemRoot%\MEMORY.DMP
> the disk holding the system volume must be accessible at the time of the bugcheck (i.e. 'drive disappears' = no dump)
> any ASR (Automated System Recovery) feature must not hard-reboot the system during the dump (only really applicable to servers)

----

3. Configure "Crash on CTRL-scroll" to allow manual bugchecks

** THIS FEATURE REQUIRES A PS/2 KEYBOARD (ON EVERY OS OTHER THAN WINDOWS SERVER 2003) **

- Launch regedit.exe
- Drill down to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
- Add a registry value with the following details:
Name: CrashOnCtrlScroll
Type: DWORD
Data: 1
- Reboot

This allows you to manually cause a bugcheck by holding down the right CTRL key and hitting Scroll Lock twice
It is useful for creating a memory dump from systems that appear to be hung

For more details see http://support.microsoft.com/kb/244139

----

4. Configure debugging symbols path environment variable

- Right-click (My) Computer, click Properties
- (Vista only) Click 'Advanced System Settings' and OK the UAC prompt
- Select the 'Advanced' tab and click the 'Environment Variables' button at the bottom
- Click the 'New' button in the 'System variables' section, enter the following values:
Variable name: _NT_SYMBOL_PATH
Variable value: srv*c:\symbols*http://msdl.microsoft.com/download/symbols

This allows tools that use debugging symbols to be able to locate them - if they are locally stored then these are used, otherwise the symbol server is queried and they are downloaded and stored locally for later reference

What are 'symbols'?
These are (often large) files which are associated with files containing executable code (drivers, DLLs, EXEs, CPLs, etc.) and provide information such as function names, variable names, locations and sizes of data structures, so that the debugger isn't just trying to deal with a collection of 0's and 1's

The above symbol path can be changed if c:\symbols is not a useful or valid place for a particular system, but bear in mind this folder will accumulate symbols over time if a debugger is used frequently for dump analysis and it will not get cleared down

Every build of a particular file, if a change is made, will create a unique symbols file, so you will see multiple .PDB files for the same binary as hotfixes or service packs are applied to an OS, or if you look at dumps from other users' systems

**Paul Adams** · 16-09-2007, 11:16 AM

Debugging Scenarios

Assuming you have installed the Debugging Tools for Windows and have a scenario you want to take a look at in more detail, here are some quick definitions and and overview of how we get to the point where the debugger can start to be used...

---

Process Crash

This is where you typically get the message along the lines of "This program has performed an illegal operation and will be shut down" at random points or when performing a specific action

This is an unhandled exception in user-mode - not critical to the system as a whole

- Start a command prompt, navigate to the folder where you installed the Debugging Tools
- Start the program which crashes (for the sake of the example I will call it CRASHAPP.EXE)
- Switch to the command prompt window and run the following command:
ADPlus -crash -ctcf -pn CRASHAPP.EXE -o C:\Dumps

ADPlus switches explained:
> -crash = the debugger is to watch the process until it throws an exception, then attach and create a dump before exiting it
> -ctcf = create a complete memory dump of the process with as much information as possible
> -pn = the name of the process to which the debugger should attach
> -o = the output folder where the user-mode dumps are to be generated, in unique sub-folders (under C:\Dumps in the above example)

If the program crashes immediately on startup, however, then you can use the debugger to launch it and perform a debug directly on the program rather than rely on a "post mortem" dump file

If there are multiple instances of the same process name, then the process ID (PID) can be used to identify it and the switch '-p' used instead of '-pn' and the process name - PIDs can be seen through Task Manager, TASKLIST.EXE, Process Explorer, a kernel debug, and no doubt hundreds of other methods

---

Process Hang

A lot of people report a hang as a crash and vice versa, but the symptoms and root causes are very different.
A HUNG application is waiting on an event that is either never going to happen, or is taking a long time, and in the meantime it appears unrespsonsive, maybe without the window updating ("repainting").

- Start a command prompt, navigate to the folder where you installed the Debugging Tools
- Start the program which crashes (for the sake of the example I will call it HANGAPP.EXE)
- When the process HANGAPP.EXE hangs, switch to the command prompt window and run the following command:
ADPlus -hang -pn HANGAPP.EXE -o C:\Dumps

ADPlus switches explained:
> -hang = the debugger is to passively attach to the process and take a snapshot of its memory space without causing it to exit
> -pn = the name of the process to which the debugger should attach
> -o = the output folder where the user-mode dumps are to be generated, in unique sub-folders (under C:\Dumps in the above example)

As with a process crash, if there are multiple instances of the same process name, then identify the correct PID and use it instead, with '-p'

Often it can be useful to take 2 or 3 dumps of a hung process at 10-second intervals, to see if there are differences between them to indicate if it is just very, very slow to update or is "deadlocked" - just run the same command again as the sub-folder name for the dump contains the time you ran the command

---

System Crash

Bluescreen, bluescreen of death (BSOD), bugcheck, crash - doubtless there are many other names given to it too

This is an unhandled exception in kernel-mode - as every process on the system shares kernel space, if something bad happens here then it can be bad news for everyone and to prevent further problems it shuts up shop
And it is FURTHER problems, as we have detected something unexpected but that is not to say the kernel isn't a bullet-ridden corpse by this point

Follow common procedures 1 & 2 to make Windows produce something that can be reviewed to provide some clues

When the OS crashes (bugchecks), the kernel memory is dumped into the page file and the system restarts
On starting Windows, the page file is found to contain a crash dump and it is copied to %systemroot%\MEMORY.DMP

---

System Hang

If Windows becomes unresponsive but does not bugcheck to produce a dump file, and common procedures 1, 2 & 3 have been followed beforehand, you can create a "STOP 0xE2" memory dump by holding down the right CTRL key and hitting SCROLL LOCK twice - this then goes through the same process as the "System Crash" description above

In the event of a hung system, instead of creating a crash dump and then analysing it offline, it may be possible to "live debug" the computer through a serial, USB or firewire cable from a separate computer (clearly the computer cannot suspend itself in order to debug itself - the debugger process would be suspended at the same time, and there would be no routines available to copy symbols around)

Live debugging can alsobe used for scenarios where the dump file is not being created on a bugcheck - possibly due to a hardware problem or the disk controller decides the disk is no longer present

**Paul Adams** · 16-09-2007, 11:17 AM

Analysing Dumps

Okay, so you have your recurring problem, you prepared the system to generate the useful data and now you have something to look at... now what?

In order to make sense of the raw data in the dumps, you need the relevant symbols for (ideally all) the modules containing code in it - see common procedure 4

Now we're ready to actually load the dump file for analysis...

- Launch WinDbg
- Click File
- Click 'Open Crash Dump', browse to the .DMP file and double-click it

The header of the dump file will let the debugger know what type of dump it is and what symbols are essential to even make a start - i.e. for a dump of EXPLORER.EXE, at the very least we will need symbols for this file

WinDbg may therefore look like it isn't doing a great deal initially, whereas it is in fact checking for (and downloading) symbols it needs

There is a bar at the bottom for you to enter commands into the debugger once it has done the necessary downloading

Commands I typically enter when debugging, so I know what the debugger is doing when it appears to be idle:

!sym noisy
- This turns on "noisy" symbol loading so you can see where it is getting symbol files from (the symbols files can be large as take a while to download sometimes)

Code:

0:007> !sym noisy
noisy mode - symbol prompts on

.reload /f
- This forces a reload of symbols for all modules in the dump file, even those which have not yet been downloaded but might trigger a download in the middle of your debugging session

Code:

0:007> .reload /f
Reloading current modules
.
SYMSRV:  Q:\Symbols\Script Checker Interceptor.pdb\527CFF7666C84738B5BDD72E225ADC321\Script Checker Interceptor.pdb not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/Script Checker Interceptor.pdb/527CFF7666C84738B5BDD72E225ADC321/Script Checker Interceptor.pdb not found
DBGHELP: Script Checker Interceptor.pdb - file not found
DBGHELP: O:\out_Win32\Release\Script Checker Interceptor.pdb - file not found
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for scrchpg.dll - 
DBGHELP: scrchpg - export symbols
.
SYMSRV:  iexplore.pdb from http://msdl.microsoft.com/download/symbols: 86673 bytes - copied         
DBGHELP: iexplore - public symbols  
         Q:\Symbols\iexplore.pdb\3544BAF610664EC3B420AF05F04F589B2\iexplore.pdb
.
SYMSRV:  ieframe.pdb from http://msdl.microsoft.com/download/symbols: 2160324 bytes - copied         
DBGHELP: IEFRAME_4df0000 - public symbols  
         Q:\Symbols\ieframe.pdb\4A4E76B2DB544787AD0633C6BA8271CE2\ieframe.pdb
.
SYMSRV:  Q:\Symbols\r3hook64.pdb\993432011C36406A93CDDA0CADB66DB41\r3hook64.pdb not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/r3hook64.pdb/993432011C36406A93CDDA0CADB66DB41/r3hook64.pdb not found
DBGHELP: r3hook64.pdb - file not found
DBGHELP: O:\out_win32\Release\r3hook64.pdb - file not found
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for r3hook.dll - 
DBGHELP: r3hook - export symbols
.
DBGHELP: IEFRAME - public symbols  
         Q:\Symbols\ieframe.pdb\4A4E76B2DB544787AD0633C6BA8271CE2\ieframe.pdb

!analyze -v
- Most people start here, as it gives you a quick overview of an exception (assuming it wasn't a manual dump) and in some cases a "probably caused by" guess (and it IS a guess, in some cases very accurate and in others completely wrong)

!vm
- Presents a summary of virtual memory along with a list of the processes running at the time of the crash

lm ft
- "List Modules" (with file location & timestamp fields) to get a complete list of module information to look for old drivers or those known to be versions which are not stable

Code:

0:007> lmft
start             end                 module name
00000000`003e0000 00000000`00405000   scrchpg  scrchpg.dll  Fri Mar 09 17:46:53 2007 (45F18F7D)
00000000`00c40000 00000000`00cdb000   iexplore C:\Program Files (x86)\Internet Explorer\iexplore.exe Tue Jun 26 03:50:59 2007 (46807103)
00000000`04df0000 00000000`053bb000   IEFRAME_4df0000 IEFRAME.dll  Tue Jun 26 04:50:31 2007 (46807EF7)
00000000`10000000 00000000`10010000   r3hook   r3hook.dll   Fri Mar 09 17:51:14 2007 (45F19082)
00000000`724c0000 00000000`72a8b000   IEFRAME  IEFRAME.dll  Tue Jun 26 04:53:52 2007 (46807FC0)
00000000`72e60000 00000000`72ea5000   SCHANNEL SCHANNEL.dll Tue Jun 19 04:07:52 2007 (46773A78)
00000000`72eb0000 00000000`72ed1000   NTMARTA  NTMARTA.dll  Thu Nov 02 10:43:55 2006 (4549BDDB)
00000000`72fe0000 00000000`73010000   MLANG    MLANG.dll    Thu Nov 02 10:40:07 2006 (4549BCF7)
00000000`73060000 00000000`7320a000   gdiplus  gdiplus.dll  Thu Nov 02 10:38:55 2006 (4549BCAF)...

lm vm MODULENAME
- Display verbose information on module MODULENAME, often the author of the module and the version strings are in here

Code:

0:007> lmvm r3hook
start             end                 module name
00000000`10000000 00000000`10010000   r3hook     (export symbols)       r3hook.dll
    Loaded symbol image file: r3hook.dll
    Image path: r3hook.dll
    Image name: r3hook.dll
    Timestamp:        Fri Mar 09 17:51:14 2007 (45F19082)
    CheckSum:         0001316A
    ImageSize:        00010000
    File version:     6.0.2.621
    Product version:  6.0.2.621
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Kaspersky Lab
    ProductName:      Kaspersky Anti-Virus
    InternalName:     R3HOOK
    OriginalFilename: R3HOOK.DLL
    ProductVersion:   6.0.2.621
    FileVersion:      6.0.2.621
    FileDescription:  Kaspersky Anti-Virus Ring 3 Hooker
    LegalCopyright:   Copyright © Kaspersky Lab 1996-2007.
    LegalTrademarks:  Kaspersky™ Anti-Virus ®  is registered trademark of Kaspersky Lab.

kv 50
- show the last (up to) 50 stack entries for the current thread ('kv' by itself might show only the top portion of a stack if it's large)

Code:

0:000> kv 50
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000000`0017dca8 00000000`76f6ed73 : 00000000`00000001 00000000`7708ead9 00000000`00100246 00000000`00000000 : ntdll!NtWaitForMultipleObjects+0xa
00000000`0017dcb0 00000000`7708e96d : 00000000`00000001 00000000`0017ded0 00000000`00000000 00000000`00000000 : kernel32!WaitForMultipleObjectsEx+0x10b
00000000`0017ddc0 00000000`7708e85e : 00000000`00000001 00000000`0024c260 00000000`00279f50 00000000`00000000 : USER32!RealMsgWaitForMultipleObjectsEx+0x129
00000000`0017de60 000007fe`f92b8fdf : 00000000`002899f0 00000000`0028bb00 00000000`ffffffff 000007fe`f92c3ad9 : USER32!MsgWaitForMultipleObjectsEx+0x46
00000000`0017dea0 000007fe`f92ad845 : 00000000`00000001 00000000`0024c260 00000000`00279f50 00000000`ffffffff : IEUI!CoreSC::Wait+0x4f
00000000`0017def0 000007fe`f5d41b7d : 00000000`00275260 00000000`00000000 00000000`00000000 00000000`00000000 : IEUI!WaitMessageEx+0x75
00000000`0017df30 000007fe`f5d7ccf7 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0024c260 : IEFRAME!CBrowserFrame::FrameMessagePump+0x1d0
00000000`0017dfa0 000007fe`f5d7dfa4 : 00000000`00000001 00000000`00275260 00000000`00000000 00000000`00272300 : IEFRAME!BrowserThreadProc+0x47
00000000`0017dfd0 000007fe`f5d7debf : 10e1f12f`0000000a 00000000`0024c260 00000000`001fc7c0 00000000`00000001 : IEFRAME!BrowserNewThreadProc+0x92
00000000`0017e010 000007fe`f5d7d6e8 : 00000000`0024c260 00000000`0024c260 00000000`00000001 00000000`00000000 : IEFRAME!SHOpenFolderWindow+0x202
00000000`0017f0c0 00000000`00a8d3d2 : 00000000`001fc7c0 00000000`00000001 00000000`00000001 00720074`00620027 : IEFRAME!IEWinMain+0x369
00000000`0017f370 00000000`00a91b6e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : iexplore!wWinMain+0x35a
00000000`0017f810 00000000`76f6cdcd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : iexplore!StringVPrintfWorkerW+0x272
00000000`0017f8d0 00000000`7718c6e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0017f900 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

The analysis of a dump depends very much on the type of dump (user mode or kernel mode), whether it was a crash or a hang, and if it was a crash what the exception code was - there isn't a magic "!what_went_wrong" instruction to solve everything for you.

Without symbols, debugging is almost impossible - so if MyFancyApp.exe by MadeUpCompany keeps crashing randomly then chances are only the developers at MadeUpCompany could provide any useful diagnosis

Crash dumps I find generally easier to diagnose than hang dumps, as there is a point from which we can work backwards to work out how we might have arrived at the exception

That said, hang dumps are sometimes simply "deadlocks"
e.g. thread A owns resource X, holding it exclusively and wants resource Y, while thread B owns resource Y exclusively and wants resource X - the 2 threads are now deadlocked waiting for something that will never occur

For a crash dump, the stack of the running thread at the time of the crash is the first clue as it must have caused the exception - but it does NOT mean that it is guaranteed to be the bad guy (though this is very often the case)

Consider a case where driver P is naughty and overruns a buffer it allocated, extending into a memory area allocated by driver Q - driver P is able to work with its data quite happily, complete its work and hand control back to whoever wants it - then along comes driver Q at some future time to work on its data and finds it to be garbage
BOOM - unhandled exception in kernel mode = bugcheck - stack trace evdience says "probably caused by driver Q"

In order to do any decent kind of analysis, the more information we have, the better - in the case of dump analysis, this means more dumps
What is interesting it what the dumps have in common - because of how memory is used dynamically, in the "driver P/driver Q" scenario above it might present as different STOP codes in different drivers and so appear to have no particular pattern

A particularly useful tool if you suspect drivers is "Driver Verifier" - verifier.exe - which happens to be built into Windows
This is a troubleshooting tool and should only be used for identifying problems with system stability, as enabling debugging options here will have an impact on performance - don't go blindly enabling everything this tool can do or you may render Windows unbootable (though "Last Known Good" should get you back)

If, for example, you have a machine which keeps bugchecking with messages relating to "pool corruption", then the "speical pool" option on all 3rd party drivers could help - in the "driver P/driver Q" scenario it would actually bugcheck the system earlier, with a different STOP code, and point the finger at driver P when it overran its pool allocation

"Drivers" can include video, audio, network, USB, antivirus, virtual device, filters - they can be related to specific hardware devices or used by software such as services or system applications
Sometimes assumptions made by drivers can lead to problems that only occur when used in combination with each other
- if 2 filter drivers assume they are at the very top or bottom of the filter stack, for example - and this is why running 2 separate AV products at the same time might not be wise

**kidzer** · 16-09-2007, 11:49 AM

Another interesting article for us geeky hexites to read with interest - thank you Mr. Adams

**TheAnimus** · 16-09-2007, 03:35 PM

Very good work

**Paul Adams** · 10-10-2007, 07:26 PM

User-Mode Process Debugging
When taking a look at a dump from a single process, it is both simpler and trickier than kernel dumps.

Simpler because there are less threads to be concerned with than in a kernel dump, and smaller virtual memory space.

Trickier because you can't see the kernel stack of any thread, so threads may appear to end with calls into ntdll.dll - and also because a lot of the time you are dealing with 3rd party binaries to which you don't have symbols.

A large number of features in Windows are extensible by 3rd parties by loading their DLLs into their process virtual memory spaces - Internet Explorer, Explorer, Print Spooler, etc.
If any of these DLLs contains code which is buggy, the process can crash, often pointing to the wrong module as the root cause - in the same way that bugs in drivers can cause Windows to crash and point to "the kernel".

Spotting 3rd party modules in Microsoft processes is pretty simple - there are no symbols on the symbol server for them.

A bit of "hands-on" - apologies if it's not very readable, the output is wide due to the OS being 64-bit.

Here is me launching Notepad and attaching WinDbg to the process (thus suspending it):