Debugging / Viewing Windows Update Log on Windows 10 Insider Builds

Having confirmed with WinDbg team currently insider builds don’t get public symbols unless it is a major release (They are looking into a solution….)

How are we going to debug anything on bleeding edge systems “Fast Track Updates” in the meantime?

To workaround this problem I did the following

1) Downloaded the latest Windows 10 symbol package publicly available

https://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx

I installed them into a folder C:\win10symbols

2) Download ChkMatch tool from here http://www.debuginfo.com/tools/chkmatch.html

Note it is 32-bit only tool, so when specifying path to 64-bit files in C:\windows\system32 you must use path C:\windows\sysnative

3) Delete any files in <debugger directory>\sym folder (i.e. C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym )

Here is the WinDbg output:

Before ChkMatch

0:000> .reload
Reloading current modules
…..
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll –

************* Symbol Loading Error Summary **************
Module name            Error
ntdll                  PDB not found : c:\win10symbols\symbols\dll\ntdll.pdb

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
0:000> !peb
PEB at 00007ff6759af000
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn’t have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing “.symopt- 100”. Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: ntdll!_PEB                                    ***
***                                                                   ***
*************************************************************************
error 3 InitTypeRead( nt!_PEB at 00007ff6759af000)…

I then ran the following command:

C:\>chkmatch -m C:\windows\sysnative\ntdll.dll c:\win10symbols\ntdll.pdb\B9A5AE37F693422C89FBF6471E0FC5F51\ntdll.pdb
ChkMatch – version 1.0
Copyright (C) 2004 Oleg Starodumov
http://www.debuginfo.com/

Executable: C:\windows\sysnative\ntdll.dll
Debug info file: c:\win10symbols\ntdll.pdb\B9A5AE37F693422C89FBF6471E0FC5F51\ntdll.pdb

Executable:
TimeDateStamp: 55cbff9a
Debug info: 2 ( CodeView )
TimeStamp: 55cbff9a  Characteristics: 0  MajorVer: 0  MinorVer: 0
Size: 34  RVA: 0011ebe8  FileOffset: 0011cbe8
CodeView format: RSDS
Signature: {7edb4a59-efff-47ec-b12f-7697e9226177}  Age: 1
PdbFile: ntdll.pdb
Debug info: 13 ( Unknown )
TimeStamp: 55cbff9a  Characteristics: 0  MajorVer: 0  MinorVer: 0
Size: 1084  RVA: 0011ec20  FileOffset: 0011cc20

Debug information file:
Format: PDB 7.00
Signature: {b9a5ae37-f693-422c-89fb-f6471e0fc5f5}  Age: 2

Writing to the debug information file…
Result: Success.

0:000> .reload
Reloading current modules
…..
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
0:000> !peb
PEB at 00007ff6759af000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         00007ff676040000
    Ldr                       00007fffdf8b71e0
    Ldr.Initialized:          Yes

 

etc…

 

Note: This solution only works if the PDB age signature matches the current DLL, more info about this here: http://www.debuginfo.com/articles/debuginfomatch.html

Windows Update Log using PowerShell Get-WindowsUpdateLog just returning GUIDs?

1601/01/01 11:00:00.0000000 980   8592                  Unknown( 14): GUID=464bbb57-d1b3-22d8-23ef-338952442d14 (No Format Information found).
1601/01/01 11:00:00.0000000 980   8592                  Unknown( 10): GUID=524890e0-a6db-a018-bdf5-146836fbf25d (No Format Information found).
1601/01/01 11:00:00.0000000 980   8592                  Unknown( 11): GUID=6388909c-9384-8454-6d45-b6165f613f9a (No Format Information found).
1601/01/01 11:00:00.0000000 980   8592                  Unknown( 11): GUID=524890e0-a6db-a018-bdf5-146836fbf25d (No Format Information found).
1601/01/01 11:00:00.0000000 980   8592                  Unknown( 23): GUID=ccdda195-7c91-4637-05e0-79cdf332fe13 (No Format Information found).

Using Fiddler I quickly identified the PDB files it wanted:

 

Copying the URL column into Excel I did a quick & dirty processing. Filtered on items ending with .PDB and copied the result into a new sheet, then added formula to extract just the filename

=TRIM(RIGHT(SUBSTITUTE(A1,"/",REPT(" ",LEN(A1))),LEN(A1))) 

 

Then pivot table on that column we find the PDB files this process relies on:

storewuauth.pdb
wuapi.pdb
wuauclt.pdb
wuaueng.pdb
wuautoappupdate.pdb
wuuhext.pdb

 

This resulted in running the following commands, all of which reported success.

chkmatch -m c:\Windows\WinSxS\amd64_microsoft-windows-s..e-windowsupdateauth_31bf3856ad364e35_10.0.10525.0_none_8b70d1ffa911692a\storewuauth.dll c:\win10symbols\storewuauth.pdb\5A9142A09775486CB3053E2D6D6A7B6F1\storewuauth.pdb 
chkmatch -m c:\windows\sysnative\wuapi.dll C:\win10symbols\wuapi.pdb\03E47413D978470EB9438AD21D5B208E1\wuapi.pdb
chkmatch -m c:\windows\sysnative\wuauclt.exe c:\win10symbols\wuauclt.pdb\E0D0C18A15D24973B0AE8799EFFFC1001\wuauclt.pdb
chkmatch -m c:\windows\sysnative\wuaueng.dll c:\win10symbols\wuaueng.pdb\EBADD49A0078487A8BD8DBFE7D56D88B1\wuaueng.pdb
chkmatch -m c:\windows\sysnative\wuautoappupdate.dll c:\win10symbols\wuautoappupdate.pdb\2E4D201B897D4FACB97B5198FC9B2CBD1\wuautoappupdate.pdb
chkmatch -m c:\windows\sysnative\wuuhext.dll c:\win10symbols\wuuhext.pdb\C94A76FA1A6546D38EBCAAE1B7C0A39C1\wuuhext.pdb

We then run PowerShell cmd

Get-WindowsUpdateLog –SymbolServer C:\win10symbols

However unlike WinDbg, this is not working, as the paths don’t match

So I made a copy of each folder, the copy with the same name that tracerpt.exe was looking for

WOW! I CAN NOW READ THE WINDOWS UPDATE LOG!!!!!!!!!!!!!!!!!!!!!!!!!!!! WOO-HOO

That was easy.

2015/09/01 10:40:01.8948051 996   9112  SLS             Retrieving SLS response from server using ETAG Ww/uzEDtiHGuCQKdqqiVoucsE3BysNngQpDk+NfngSU=_1440″…”
2015/09/01 10:40:01.8949751 996   9112  SLS             Making request with URL HTTPS://sls.update.microsoft.com/SLS/{7971F918-A847-4430-9279-4A52D1EFE18D}/x64/10.0.10525.0/0?CH=423&L=en-US&P=&PT=0x30&WUA=10.0.10525.0
2015/09/01 10:40:22.9594201 996   9112  Misc            Send request failed, hr:0x80072ee2
2015/09/01 10:40:22.9594266 996   9112  Misc            WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2; retrying with default proxy.
2015/09/01 10:40:43.9686947 996   9112  Misc            Send request failed, hr:0x80072ee2
2015/09/01 10:40:43.9687321 996   9112  SLS             Failed: hr = 0x80072EE2
2015/09/01 10:40:43.9690170 996   9112  SLS             GetResponse failed with hresult 0x80072ee2…
2015/09/01 10:40:43.9690306 996   9112  Agent           Failed to retrieve SLS response data for service 7971f918-a847-4430-9279-4a52d1efe18d, error = 0x80072ee2
2015/09/01 10:40:43.9884897 996   9112  SLS             Retrieving SLS response from server using ETAG Ww/uzEDtiHGuCQKdqqiVoucsE3BysNngQpDk+NfngSU=_1440″…”
2015/09/01 10:40:43.9887935 996   9112  SLS             Making request with URL HTTPS://sls.update.microsoft.com/SLS/{7971F918-A847-4430-9279-4A52D1EFE18D}/x64/10.0.10525.0/0?CH=423&L=en-US&P=&PT=0x30&WUA=10.0.10525.0
2015/09/01 10:41:05.0047561 996   9112  Misc            Send request failed, hr:0x80072ee2
2015/09/01 10:41:05.0047606 996   9112  Misc            WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2; retrying with default proxy.
2015/09/01 10:41:26.0152702 996   9112  Misc            Send request failed, hr:0x80072ee2
2015/09/01 10:41:26.0152821 996   9112  SLS             Failed: hr = 0x80072EE2
2015/09/01 10:41:26.0157665 996   9112  SLS             GetResponse failed with hresult 0x80072ee2…
2015/09/01 10:41:26.0157936 996   9112  Misc            EP: error: 0x80072EE2 : – failed to get SLS data