Obtaining Correct Mscordacwks.dll for .NET WinDbg’ing

If you open a lot of .NET app user mini-dumps you have probably come across this issue:

user32!NtUserWaitMessage+0xa:
00000000`775b933a c3              ret
0:000> .load C:\windows\Microsoft.NET\Framework64\v2.0.50727\sos.dll
0:000> !eestack -ee
Failed to load data access DLL, 0x80004005
Verify that 1) you have a recent build of the debugger (6.2.14 or newer)
            2) the file mscordacwks.dll that matches your version of mscorwks.dll is
                in the version directory
            3) or, if you are debugging a dump file, verify that the file
                mscordacwks_<arch>_<arch>_<version>.dll is on your symbol path.
            4) you are debugging on the same architecture as the dump file.
                For example, an IA64 dump file must be debugged on an IA64
                machine.

You can also run the debugger command .cordll to control the debugger’s
load of mscordacwks.dll.  .cordll -ve -u -l will do a verbose reload.
If that succeeds, the SOS command should work on retry.

If you are debugging a minidump, you need to make sure that your executable
path is pointing to mscorwks.dll as well.
0:000> !sym noisy
noisy mode – symbol prompts on
0:000> .cordll -ve -u -l
CLRDLL: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscordacwks.dll:2.0.50727.8000 f:0
doesn’t match desired version 2.0.50727.5477 f:0
SYMSRV:  c:\symbols\mscordacwks_AMD64_AMD64_2.0.50727.5477.dll\5265C8EE99d000\mscordacwks_AMD64_AMD64_2.0.50727.5477.dll not found
SYMSRV: 
http://msdl.microsoft.com/download/symbols/mscordacwks_AMD64_AMD64_2.0.50727.5477.dll/5265C8EE99d000/mscordacwks_AMD64_AMD64_2.0.50727.5477.dll not found
CLRDLL: Unable to find mscordacwks_AMD64_AMD64_2.0.50727.5477.dll by mscorwks search
CLRDLL: Unable to find ‘mscordacwks_AMD64_AMD64_2.0.50727.5477.dll’ on the path
DBGHELP: c:\symbols\mscorwks.dll\5265C8EE99d000\mscorwks.dll – OK
CLRDLL: Unable to get version info for ‘c:\symbols\mscorwks.dll\5265C8EE99d000\mscordacwks_AMD64_AMD64_2.0.50727.5477.dll’, Win32 error 0n87
Cannot Automatically load SOS
CLRDLL: ERROR: Unable to load DLL mscordacwks_AMD64_AMD64_2.0.50727.5477.dll, Win32 error 0n87
CLR DLL status: ERROR: Unable to load DLL mscordacwks_AMD64_AMD64_2.0.50727.5477.dll, Win32 error 0n87

It would be far too easy if Microsoft was kind enough to provide these via the symbol server. Of course you can copy mscordacwks (in this case C:\windows\Microsoft.NET\Framework64\v2.0.50727\mscordacwks.dll ) from the machine dump was generated on, rename it to the file mentioned i.e. mscordacwks_AMD64_AMD64_2.0.50727.5477.dll and put it in a folder that is in your PATH environment variable. In this case of analysing a . NET 4.0 dump on .NET 4.5 you will also need sos.dll from target machine…..

What if you don’t have access to the target machine?

You can do  a search on http://support.microsoft.com for mscordacwks version

image

If you want you can confirm the update has the file you want by checking the File Information section of the KB article.

image

Now we can go to http://catalog.update.microsoft.com and search for the KB number (You must use Internet Explorer, as site uses ActiveX controls) In this case I wanted the x64 version so I added it to the basket and downloaded it

image

Now we extract it. In this case the file was placed into a folder called Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 SP1 for x64-based Systems (KB2898857) containing the update file AMD64_X86_IA64-all-windows6.1-kb2898857-x64_c6960541776b7cc108be7eab97eaf3fdbb26a666.msu

 

expand –F:* AMD64_X86_IA64-all-windows6.1-kb2898857-x64_c6960541776b7cc108be7eab97eaf3fdbb26a666.msu C:\extract

Make a note of the .CAB file with KB number extracted, in this case Windows6.1-KB2898857-x64.cab

cd \extract

expand –F:* Windows6.1-KB2898857-x64.cab C:\extract

Now you can grab your mscordacwks.dll. Note the folder version numbers don’t match up with the file version number that we are looking for:

image

I check the file version and confirm it is correct one, then rename it

image 

I then copy the file into a directory that is in my PATH environment variable, and we re-run .cordll -ve -u –l

And have success – Loaded DLL.

0:000> .cordll -ve -u -l
CLRDLL: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscordacwks.dll:2.0.50727.8000 f:0
doesn’t match desired version 2.0.50727.5477 f:0
SYMSRV:  c:\symbols\mscordacwks_AMD64_AMD64_2.0.50727.5477.dll\5265C8EE99d000\mscordacwks_AMD64_AMD64_2.0.50727.5477.dll not found
SYMSRV: 
http://msdl.microsoft.com/download/symbols/mscordacwks_AMD64_AMD64_2.0.50727.5477.dll/5265C8EE99d000/mscordacwks_AMD64_AMD64_2.0.50727.5477.dll not found
CLRDLL: Unable to find mscordacwks_AMD64_AMD64_2.0.50727.5477.dll by mscorwks search
CLRDLL: Unable to find ‘SOS_AMD64_AMD64_2.0.50727.5477.dll’ on the path
Cannot Automatically load SOS
CLRDLL: Loaded DLL mscordacwks_AMD64_AMD64_2.0.50727.5477.dll
CLR DLL status: Loaded DLL mscordacwks_AMD64_AMD64_2.0.50727.5477.dll

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in .NET, WinDbg. Bookmark the permalink.

11 Responses to Obtaining Correct Mscordacwks.dll for .NET WinDbg’ing

  1. Dave says:

    Thanks so much for the clear description of how you found the dll.
    Just got a clr dmp file loaded after hours of trying.

  2. Nick says:

    Thank you so much for this. Been searching the web for hours

  3. Vlad says:

    Thank you very much. That helped me in the case when windbg “noisy mode” was unable to download correct version of sos.

  4. There must be a programmatic way to do it, since Visual Studio manages to do it automagically.

    • PS The way I do this is to load the dmp into Visual Studio then use Process Explorer to see what mscordacwks.dll it is using and where it downloaded it to. Then I copy that file to mscordawks_xxx_xxx.dll as above.

    • WinDbg will do it automatically on a machine where the file exists, and it will try to get it from Windows Symbol Server, but in my experience that usually fails.

      • “if you are the machine where crash occurred” – this is rarely the case for me since I spend a lot of time looking at crash dumps uploaded by our customers. Many times the customer has a different version of the CLR than me and windbg fails to load SOS. In each case I have debugged the dmp in Visual Studio and the right mscordacwks dll is somehow found and downloaded. I then copy that file to somewhere windbg can find it.

      • Ok, I will try this in Visual Studio. If Visual Studio is locating this somewhere, I will make a WinDbg extension to do it automatically.

  5. Bret says:

    This helped me a lot…nowhere did I find that I needed to rename the file. That got me around that error but then :

    Type: Microsoft.Diagnostics.Runtime.ClrDiagnosticsException

    Message: Failure loading DAC: CreateDacInstance failed 0x80070057

    Stack Trace:
    Microsoft.Diagnostics.Runtime.DacLibrary..ctor(DataTargetImpl dataTarget, String dacDll)
    Microsoft.Diagnostics.Runtime.DataTargetImpl.CreateRuntime(String dacFilename)
    DebugDiag.DotNet.NetDbgObj.CreateRuntime(String symbolPath, DataTarget target, Int32 runtimeIndex, ClrInfo& clrInfo)
    DebugDiag.DotNet.NetDbgObj.CreateRuntimeAndGetHeap(String dumpPath, IDbgObj3 legacyDebugger, String symbolPath, Boolean throwOnBitnessMismatch, Boolean loadClrHeap)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s