Using ProcMon & Fiddler to Debug WinDbg

So I was trying to analyze a kernel mode crash dump in WinDbg – but alas I was getting this message when running !locks

0: kd> !locks
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_ERESOURCE                                 ***
***                                                                   ***
*************************************************************************
**** DUMP OF ALL RESOURCE OBJECTS ****
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_LIST_ENTRY                                ***
***                                                                   ***
*************************************************************************

80565d70: Unable to get value of ExpSystemResourcesList

So I went and checked my symbol server setup:

image

Seems OK? And internet access was fine…

Then I ran .reload /v /f to see what was happening as my symbols loaded

0: kd> .reload /v /f
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe –
Loading Kernel Symbols

Setting ProcMon to filter on path contains C:\Symbols I noticed the following:

image

Interestingly this directory was getting a download.error file

image

I then looked at Fiddler2 log (http://www.fiddler2.com) Which showed all the web requests failing – as expected because these were 3rd party drivers. But there was no attempt to download ntkrpamp, which I did expect to see at least an attempt

image

So I then looked at the stack trace in ProcMon of the event which was successful – opening the .pd_ file…here we could see it going via Cabinet.dll so I thought OK maybe a CAB extract going on…

image

So attempt to expand via command line shows

image

So I then deleted the contents of folder I had seen in ProcMon C:\ProgramData\dbg\sym\

I then re-ran .reload /v /f and ta-da we can see download occurs now

image

…and I !locks is back online…

image

Of course probably an easier thing to do is just force WinDbg to overwrite the cache with command

.reload /v /f /o

To conclude it seems that if WinDbg symbol download gets interrupted (I had a network dropout on 3G when I first tried to load this crash dump) you may need to overwrite the cache to get all publicly available symbols.

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Debugging, ProcMon. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s