Debugging / Viewing Windows Update Log on Windows 10 Insider Builds

Having confirmed with WinDbg team currently insider builds don’t get public symbols unless it is a major release (They are looking into a solution….)

How are we going to debug anything on bleeding edge systems “Fast Track Updates” in the meantime?

To workaround this problem I did the following

1) Downloaded the latest Windows 10 symbol package publicly available

https://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx

I installed them into a folder C:\win10symbols

2) Download ChkMatch tool from here http://www.debuginfo.com/tools/chkmatch.html

Note it is 32-bit only tool, so when specifying path to 64-bit files in C:\windows\system32 you must use path C:\windows\sysnative

3) Delete any files in <debugger directory>\sym folder (i.e. C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym )

Here is the WinDbg output:

Before ChkMatch

0:000> .reload
Reloading current modules
…..
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll –

************* Symbol Loading Error Summary **************
Module name            Error
ntdll                  PDB not found : c:\win10symbols\symbols\dll\ntdll.pdb

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
0:000> !peb
PEB at 00007ff6759af000
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn’t have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing “.symopt- 100”. Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: ntdll!_PEB                                    ***
***                                                                   ***
*************************************************************************
error 3 InitTypeRead( nt!_PEB at 00007ff6759af000)…

I then ran the following command:

C:\>chkmatch -m C:\windows\sysnative\ntdll.dll c:\win10symbols\ntdll.pdb\B9A5AE37F693422C89FBF6471E0FC5F51\ntdll.pdb
ChkMatch – version 1.0
Copyright (C) 2004 Oleg Starodumov
http://www.debuginfo.com/

Executable: C:\windows\sysnative\ntdll.dll
Debug info file: c:\win10symbols\ntdll.pdb\B9A5AE37F693422C89FBF6471E0FC5F51\ntdll.pdb

Executable:
TimeDateStamp: 55cbff9a
Debug info: 2 ( CodeView )
TimeStamp: 55cbff9a  Characteristics: 0  MajorVer: 0  MinorVer: 0
Size: 34  RVA: 0011ebe8  FileOffset: 0011cbe8
CodeView format: RSDS
Signature: {7edb4a59-efff-47ec-b12f-7697e9226177}  Age: 1
PdbFile: ntdll.pdb
Debug info: 13 ( Unknown )
TimeStamp: 55cbff9a  Characteristics: 0  MajorVer: 0  MinorVer: 0
Size: 1084  RVA: 0011ec20  FileOffset: 0011cc20

Debug information file:
Format: PDB 7.00
Signature: {b9a5ae37-f693-422c-89fb-f6471e0fc5f5}  Age: 2

Writing to the debug information file…
Result: Success.

0:000> .reload
Reloading current modules
…..
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
0:000> !peb
PEB at 00007ff6759af000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         00007ff676040000
    Ldr                       00007fffdf8b71e0
    Ldr.Initialized:          Yes

 

etc…

 

Note: This solution only works if the PDB age signature matches the current DLL, more info about this here: http://www.debuginfo.com/articles/debuginfomatch.html

Windows Update Log using PowerShell Get-WindowsUpdateLog just returning GUIDs?

1601/01/01 11:00:00.0000000 980   8592                  Unknown( 14): GUID=464bbb57-d1b3-22d8-23ef-338952442d14 (No Format Information found).
1601/01/01 11:00:00.0000000 980   8592                  Unknown( 10): GUID=524890e0-a6db-a018-bdf5-146836fbf25d (No Format Information found).
1601/01/01 11:00:00.0000000 980   8592                  Unknown( 11): GUID=6388909c-9384-8454-6d45-b6165f613f9a (No Format Information found).
1601/01/01 11:00:00.0000000 980   8592                  Unknown( 11): GUID=524890e0-a6db-a018-bdf5-146836fbf25d (No Format Information found).
1601/01/01 11:00:00.0000000 980   8592                  Unknown( 23): GUID=ccdda195-7c91-4637-05e0-79cdf332fe13 (No Format Information found).

Using Fiddler I quickly identified the PDB files it wanted:

image

 

Copying the URL column into Excel I did a quick & dirty processing. Filtered on items ending with .PDB and copied the result into a new sheet, then added formula to extract just the filename

=TRIM(RIGHT(SUBSTITUTE(A1,"/",REPT(" ",LEN(A1))),LEN(A1)))

 

Then pivot table on that column we find the PDB files this process relies on:

storewuauth.pdb
wuapi.pdb
wuauclt.pdb
wuaueng.pdb
wuautoappupdate.pdb
wuuhext.pdb

 

This resulted in running the following commands, all of which reported success.

chkmatch -m c:\Windows\WinSxS\amd64_microsoft-windows-s..e-windowsupdateauth_31bf3856ad364e35_10.0.10525.0_none_8b70d1ffa911692a\storewuauth.dll c:\win10symbols\storewuauth.pdb\5A9142A09775486CB3053E2D6D6A7B6F1\storewuauth.pdb chkmatch -m c:\windows\sysnative\wuapi.dll C:\win10symbols\wuapi.pdb\03E47413D978470EB9438AD21D5B208E1\wuapi.pdb chkmatch -m c:\windows\sysnative\wuauclt.exe c:\win10symbols\wuauclt.pdb\E0D0C18A15D24973B0AE8799EFFFC1001\wuauclt.pdb chkmatch -m c:\windows\sysnative\wuaueng.dll c:\win10symbols\wuaueng.pdb\EBADD49A0078487A8BD8DBFE7D56D88B1\wuaueng.pdb chkmatch -m c:\windows\sysnative\wuautoappupdate.dll c:\win10symbols\wuautoappupdate.pdb\2E4D201B897D4FACB97B5198FC9B2CBD1\wuautoappupdate.pdb chkmatch -m c:\windows\sysnative\wuuhext.dll c:\win10symbols\wuuhext.pdb\C94A76FA1A6546D38EBCAAE1B7C0A39C1\wuuhext.pdb

We then run PowerShell cmd

Get-WindowsUpdateLog –SymbolServer C:\win10symbols

However unlike WinDbg, this is not working, as the paths don’t match

image

So I made a copy of each folder, the copy with the same name that tracerpt.exe was looking for

image

WOW! I CAN NOW READ THE WINDOWS UPDATE LOG!!!!!!!!!!!!!!!!!!!!!!!!!!!! WOO-HOO

That was easy.

2015/09/01 10:40:01.8948051 996   9112  SLS             Retrieving SLS response from server using ETAG Ww/uzEDtiHGuCQKdqqiVoucsE3BysNngQpDk+NfngSU=_1440″…”
2015/09/01 10:40:01.8949751 996   9112  SLS             Making request with URL
HTTPS://sls.update.microsoft.com/SLS/{7971F918-A847-4430-9279-4A52D1EFE18D}/x64/10.0.10525.0/0?CH=423&L=en-US&P=&PT=0x30&WUA=10.0.10525.0
2015/09/01 10:40:22.9594201 996   9112  Misc            Send request failed, hr:0x80072ee2
2015/09/01 10:40:22.9594266 996   9112  Misc            WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2; retrying with default proxy.
2015/09/01 10:40:43.9686947 996   9112  Misc            Send request failed, hr:0x80072ee2
2015/09/01 10:40:43.9687321 996   9112  SLS             Failed: hr = 0x80072EE2
2015/09/01 10:40:43.9690170 996   9112  SLS             GetResponse failed with hresult 0x80072ee2…
2015/09/01 10:40:43.9690306 996   9112  Agent           Failed to retrieve SLS response data for service 7971f918-a847-4430-9279-4a52d1efe18d, error = 0x80072ee2
2015/09/01 10:40:43.9884897 996   9112  SLS             Retrieving SLS response from server using ETAG Ww/uzEDtiHGuCQKdqqiVoucsE3BysNngQpDk+NfngSU=_1440″…”
2015/09/01 10:40:43.9887935 996   9112  SLS             Making request with URL
HTTPS://sls.update.microsoft.com/SLS/{7971F918-A847-4430-9279-4A52D1EFE18D}/x64/10.0.10525.0/0?CH=423&L=en-US&P=&PT=0x30&WUA=10.0.10525.0
2015/09/01 10:41:05.0047561 996   9112  Misc            Send request failed, hr:0x80072ee2
2015/09/01 10:41:05.0047606 996   9112  Misc            WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2; retrying with default proxy.
2015/09/01 10:41:26.0152702 996   9112  Misc            Send request failed, hr:0x80072ee2
2015/09/01 10:41:26.0152821 996   9112  SLS             Failed: hr = 0x80072EE2
2015/09/01 10:41:26.0157665 996   9112  SLS             GetResponse failed with hresult 0x80072ee2…
2015/09/01 10:41:26.0157936 996   9112  Misc            EP: error: 0x80072EE2 : – failed to get SLS data

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Fiddler, ProcMon, WinDbg, Windows 10 and tagged . Bookmark the permalink.

5 Responses to Debugging / Viewing Windows Update Log on Windows 10 Insider Builds

  1. Joel says:

    Much better than the old method of opening the WindowsUpdate.log from C:\Windows… :)

  2. Elt Ag says:

    They make it so difficult to just view the log lol…I downloaded the symbol pack and ran the PowerShell Get-WindowsUpdateLog … now I have to go in Excel and parse, and use Fiddler lol… why such a complicated way just to view their log

  3. Elt Ag says:

    I don’t get it where is the WinDbg steps of the instructions :(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s