dumping contents of .txt file

raj_r · August 2, 2011, 5:59am

from the below info how can i view the contents of the text file or
any other file whose shared cache map is NULL in windbg any ideas

kd> .shell -ci “!memusage” grep -i “file_object.txt”
<.shell waiting 10 second(s) for process>
ffa6e4a8 0 8 0 0 0 0 mapped_file( FILE_OBJECT.txt )
ffa6a508 0 4 0 0 0 0 mapped_file(
FILE_OBJECT.txt.lnk )
.shell: Process exited
kd> !ca ffa6e4a8

ControlArea @ ffa6e4a8
Segment e1c35088 Flink ffa6d804 Blink 811abaac
Section Ref 0 Pfn Ref 2 Mapped Views 0
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffa6dd38 ModWriteCount 0 System Views 0

Flags (9008080) File WasPurged HadUserReference Accessed

File: \Documents and Settings\rr\Desktop\FILE_OBJECT.txt

Segment @ e1c35088
ControlArea ffa6e4a8 ExtendInfo 0171b4ca
Total Ptes 40
WriteUserRef 0 SizeOfSegment 40000
Committed 0 PTE Template 0
Based Addr 171b4ca Image Base 0

Subsection 1 @ ffa6e4d8
ControlArea ffa6e4a8 Starting Sector 0 Number Of Sectors 40
Base Pte e1c357c8 Ptes In Subsect 40 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0

ntoskrnl.pdb doesnot have _MAPPED_FILE_SEGMENT struct in it i added it
to pdb manually using info from wild

–
thanks and regards

raj_r

raj_r · August 2, 2011, 1:29pm

here is a dump of another text file presumably opened by TaskScheduler
Service

but for a file with Shared cache map= null can we crawl around somehow ??

nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3

kd> $$>a< scripts/memu.txt txt

<.shell waiting 10 second(s) for process>
811644a0 12 0 0 0 0 0 mapped_file( SchedLgU.Txt )
.shell: Process exited

kd> !ca 811644a0

ControlArea @ 811644a0
Segment e1548188 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 3 Mapped Views 1
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffbbeae0 ModWriteCount 0 System Views 1

Flags (8008080) File WasPurged Accessed

File: \WINDOWS\SchedLgU.Txt

Segment @ e1548188
ControlArea 811644a0 ExtendInfo 80cd4cd4
Total Ptes 100
WriteUserRef 0 SizeOfSegment 100000
Committed 0 PTE Template 0
Based Addr 80cd4cd4 Image Base 0

Subsection 1 @ 811644d0
ControlArea 811644a0 Starting Sector 0 Number Of Sectors 3
Base Pte e1597620 Ptes In Subsect 3 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0

kd> !fileobj ffbbeae0

\WINDOWS\SchedLgU.Txt

Device Object: 0x8126ee30 \Driver\Ftdisk
Vpb: 0x8126ff38
Event signalled
Access: Read Write SharedRead

Flags: 0xc1052
Synchronous IO
Write Through
Cache Supported
Modified
Handle Created
Fast IO Read

Could not read memory for Irp List
FsContext: 0xe15498d8 FsContext2: 0xe15d65f0
Private Cache Map: 0xffbbd598
CurrentByteOffset: 254a
Cache Data:
Section Object Pointers: 81164514
Shared Cache Map: ffbbd4c0 File Offset: 254a in VACB number 0
Vacb: 81254128
Your data is at: caf0254a

kd> du caf00000 L?2600
caf00000 “?“Task Scheduler Service”… Star”
caf00040 “ted at 2/26/2010 8:37:18 PM…“Ta”
caf00080 “sk Scheduler Service”… Exited a”
caf000c0 "t 2/26/2010 8:49:48 PM…“Task Sc”

cutoff the last but two entries in quick succession was
done by me with net start scheduler
net stop schedular
and last but third with Sc Stop Scheduler

caf02300 ““Task Scheduler Service”… Start”
caf02340 “ed at 8/2/2011 3:38:38 PM…“Task”
caf02380 " Scheduler Service”… Exited at "
caf023c0 “8/2/2011 4:57:23 PM…“Task Sched”
caf02400 “uler Service”… Started at 8/2/2”
caf02440 "011 4:57:47 PM…“Task Scheduler "
caf02480 “Service”… Exited at 8/2/2011 4:”
caf024c0 "57:52 PM…“Task Scheduler Servic”

so yes some txt files can be read

how to read a txt file contents of my choice ??
caf02500 “e”… Started at 8/2/2011 5:39:54"
caf02540 " PM…[ ***** Most recent entry i"
caf02580 “s above this line ***** ]…”

“raj_r” wrote in message news:xxxxx@windbg…
> from the below info how can i view the contents of the text file or
> any other file whose shared cache map is NULL in windbg any ideas
>
> kd> .shell -ci “!memusage” grep -i “file_object.txt”
> <.shell waiting 10 second(s) for process>
> ffa6e4a8 0 8 0 0 0 0 mapped_file(
> FILE_OBJECT.txt )
> ffa6a508 0 4 0 0 0 0 mapped_file(
> FILE_OBJECT.txt.lnk )
> .shell: Process exited
> kd> !ca ffa6e4a8
>
> ControlArea @ ffa6e4a8
> Segment e1c35088 Flink ffa6d804 Blink 811abaac
> Section Ref 0 Pfn Ref 2 Mapped Views 0
> User Ref 0 WaitForDel 0 Flush Count 0
> File Object ffa6dd38 ModWriteCount 0 System Views 0
>
> Flags (9008080) File WasPurged HadUserReference Accessed
>
> File: \Documents and Settings\rr\Desktop\FILE_OBJECT.txt
>
> Segment @ e1c35088
> ControlArea ffa6e4a8 ExtendInfo 0171b4ca
> Total Ptes 40
> WriteUserRef 0 SizeOfSegment 40000
> Committed 0 PTE Template 0
> Based Addr 171b4ca Image Base 0
>
>
> Subsection 1 @ ffa6e4d8
> ControlArea ffa6e4a8 Starting Sector 0 Number Of Sectors 40
> Base Pte e1c357c8 Ptes In Subsect 40 Unused Ptes 0
> Flags 60 Sector Offset 0 Protection 6
> Flink 00000000 Blink 00000000 MappedViews 0
> SubsectionDataFlags 0
>
>
> ntoskrnl.pdb doesnot have _MAPPED_FILE_SEGMENT struct in it i added it
> to pdb manually using info from wild
>
> –
> thanks and regards
>
> raj_r
>

Pavel_Lebedinsky · August 2, 2011, 6:03pm

You can look at proto PTEs for the section and for those that are valid or transition, use !dc to dump the corresponding physical pages:

lkd> !ca fffffa8006487f20
…
\Users\foo\Searches\desktop.ini

Subsection 1 @ fffffa8006487f90
…
Base Pte fffff8a008f092a0 Ptes In Subsect 1 Unused Ptes 0

lkd> dq fffff8a008f092a0
fffff8a008f092a0 00000001476e28c0 0000000000000000 fffff8a008f092b0 74536d4d03020002 fffff8828e5bf63c

lkd> !pte fffff8a008f092a0 1
VA fffff8a008f092a0
PXE at FFFFF8A008F092A0 PPE at FFFFF8A008F092A0 PDE at FFFFF8A008F092A0 PTE at FFFFF8A008F092A0
contains 00000001476E28C0
not valid
Transition: 1476e2
Protect: 6 - ReadWriteExecute

lkd> !dc 1476e2000
#1476e2000 000dfeff 005b000a 0053002e 00650068 …[…S.h.e.
#1476e2010 006c006c 006c0043 00730061 00490073 l.l.C.l.a.s.s.I.
#1476e2020 0066006e 005d006f 000a000d 006f004c n.f.o.]…L.o.
#1476e2030 00610063 0069006c 0065007a 00520064 c.a.l.i.z.e.d.R.
#1476e2040 00730065 0075006f 00630072 004e0065 e.s.o.u.r.c.e.N.
#1476e2050 006d0061 003d0065 00250040 00790053 a.m.e.=.@.%.S.y.
#1476e2060 00740073 006d0065 006f0052 0074006f s.t.e.m.R.o.o.t.
#1476e2070 005c0025 00790073 00740073 006d0065 %..s.y.s.t.e.m.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj
Sent: Tuesday, August 02, 2011 10:28 AM
To: Kernel Debugging Interest List
Subject: Re:[windbg] dumping contents of .txt file

here is a dump of another text file presumably opened by TaskScheduler Service

but for a file with Shared cache map= null can we crawl around somehow ??

nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3

kd> $$>a< scripts/memu.txt txt

<.shell waiting 10 second(s) for process>
811644a0 12 0 0 0 0 0 mapped_file( SchedLgU.Txt )
.shell: Process exited

kd> !ca 811644a0

ControlArea @ 811644a0
Segment e1548188 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 3 Mapped Views 1
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffbbeae0 ModWriteCount 0 System Views 1

Flags (8008080) File WasPurged Accessed

File: \WINDOWS\SchedLgU.Txt

Segment @ e1548188
ControlArea 811644a0 ExtendInfo 80cd4cd4
Total Ptes 100
WriteUserRef 0 SizeOfSegment 100000
Committed 0 PTE Template 0
Based Addr 80cd4cd4 Image Base 0

Subsection 1 @ 811644d0
ControlArea 811644a0 Starting Sector 0 Number Of Sectors 3
Base Pte e1597620 Ptes In Subsect 3 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0

kd> !fileobj ffbbeae0

\WINDOWS\SchedLgU.Txt

Device Object: 0x8126ee30 \Driver\Ftdisk
Vpb: 0x8126ff38
Event signalled
Access: Read Write SharedRead

Flags: 0xc1052
Synchronous IO
Write Through
Cache Supported
Modified
Handle Created
Fast IO Read

Could not read memory for Irp List
FsContext: 0xe15498d8 FsContext2: 0xe15d65f0 Private Cache Map: 0xffbbd598
CurrentByteOffset: 254a
Cache Data:
Section Object Pointers: 81164514
Shared Cache Map: ffbbd4c0 File Offset: 254a in VACB number 0
Vacb: 81254128
Your data is at: caf0254a

kd> du caf00000 L?2600
caf00000 “?“Task Scheduler Service”… Star”
caf00040 “ted at 2/26/2010 8:37:18 PM…“Ta”
caf00080 “sk Scheduler Service”… Exited a”
caf000c0 "t 2/26/2010 8:49:48 PM…“Task Sc”

cutoff the last but two entries in quick succession was done by me with net start scheduler net stop schedular and last but third with Sc Stop Scheduler

caf02300 ““Task Scheduler Service”… Start”
caf02340 “ed at 8/2/2011 3:38:38 PM…“Task”
caf02380 " Scheduler Service”… Exited at "
caf023c0 “8/2/2011 4:57:23 PM…“Task Sched”
caf02400 “uler Service”… Started at 8/2/2”
caf02440 "011 4:57:47 PM…“Task Scheduler "
caf02480 “Service”… Exited at 8/2/2011 4:”
caf024c0 "57:52 PM…“Task Scheduler Servic”

so yes some txt files can be read

how to read a txt file contents of my choice ??
caf02500 “e”… Started at 8/2/2011 5:39:54"
caf02540 " PM…[ ***** Most recent entry i"
caf02580 “s above this line ***** ]…”

“raj_r” wrote in message news:xxxxx@windbg…
> from the below info how can i view the contents of the text file or
> any other file whose shared cache map is NULL in windbg any ideas
>
> kd> .shell -ci “!memusage” grep -i “file_object.txt”
> <.shell waiting 10 second(s) for process>
> ffa6e4a8 0 8 0 0 0 0 mapped_file(
> FILE_OBJECT.txt )
> ffa6a508 0 4 0 0 0 0 mapped_file(
> FILE_OBJECT.txt.lnk )
> .shell: Process exited
> kd> !ca ffa6e4a8
>
> ControlArea @ ffa6e4a8
> Segment e1c35088 Flink ffa6d804 Blink 811abaac
> Section Ref 0 Pfn Ref 2 Mapped Views 0
> User Ref 0 WaitForDel 0 Flush Count 0
> File Object ffa6dd38 ModWriteCount 0 System Views 0
>
> Flags (9008080) File WasPurged HadUserReference Accessed
>
> File: \Documents and Settings\rr\Desktop\FILE_OBJECT.txt
>
> Segment @ e1c35088
> ControlArea ffa6e4a8 ExtendInfo 0171b4ca
> Total Ptes 40
> WriteUserRef 0 SizeOfSegment 40000
> Committed 0 PTE Template 0
> Based Addr 171b4ca Image Base 0
>
>
> Subsection 1 @ ffa6e4d8
> ControlArea ffa6e4a8 Starting Sector 0 Number Of Sectors 40
> Base Pte e1c357c8 Ptes In Subsect 40 Unused Ptes 0
> Flags 60 Sector Offset 0 Protection 6
> Flink 00000000 Blink 00000000 MappedViews 0
> SubsectionDataFlags 0
>
>
> ntoskrnl.pdb doesnot have _MAPPED_FILE_SEGMENT struct in it i added it
> to pdb manually using info from wild
>
> –
> thanks and regards
>
> raj_r
>

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

raj_r · August 2, 2011, 11:11pm

kd> $$>a< scripts\memu.txt txt
<.shell waiting 10 second(s) for process>
<.shell running: .shell_quit to abandon, ENTER to wait>

81167c08 12 0 0 0 0 0 mapped_file( SchedLgU.Txt )
8117e280 0 4 0 0 0 0 mapped_file(
FILE_OBJECT.txt.lnk )
8113e770 0 8 0 0 0 0 mapped_file( FILE_OBJECT.txt )
.shell: Process exited

kd> !ca 81167c08

ControlArea @ 81167c08
Segment e15403c8 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 3 Mapped Views 1
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffba87e8 ModWriteCount 0 System Views 1

Flags (8008080) File WasPurged Accessed

File: \WINDOWS\SchedLgU.Txt

Segment @ e15403c8
ControlArea 81167c08 ExtendInfo 80d0c4ce
Total Ptes 100
WriteUserRef 0 SizeOfSegment 100000
Committed 0 PTE Template 0
Based Addr 80d0c4ce Image Base 0

Subsection 1 @ 81167c38
ControlArea 81167c08 Starting Sector 0 Number Of Sectors 3
Base Pte e1594800 Ptes In Subsect 3 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0
kd> !finddata ffba87e8 0

FindData for FileObject ffba87e8 Section Object Pointers: 8116772c
Shared Cache Map: 81170d90 File Offset: 0 in VACB number 0
Vacb: 812541b8
Your data is at: cb000000

kd> du cb000000 l10
cb000000 “"Task Scheduler”
kd> !ca 8113e770

ControlArea @ 8113e770
Segment e14e8998 Flink 810be0f4 Blink ffa9bfa4
Section Ref 0 Pfn Ref 2 Mapped Views 0
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffb27bc8 ModWriteCount 0 System Views 0

Flags (9008080) File WasPurged HadUserReference Accessed

File: \Documents and Settings\rr\Desktop\FILE_OBJECT.txt

Segment @ e14e8998
ControlArea 8113e770 ExtendInfo 80a77cc8
Total Ptes 40
WriteUserRef 0 SizeOfSegment 40000
Committed 0 PTE Template 0
Based Addr 80a77cc8 Image Base 0

Subsection 1 @ 8113e7a0
ControlArea 8113e770 Starting Sector 0 Number Of Sectors 40
Base Pte e1b5c8e8 Ptes In Subsect 40 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0
kd> !finddata ffb27bc8 0

FindData for FileObject ffb27bc8 Section Object Pointers: ffb9c3dc
Shared Cache Map: 00000000Unable to read nt!_SHARED_CACHE_MAP at 00000000

kd> !pte e1b5c8e8 1
VA e1b5c8e8
PDE at E1B5C8E8 PTE at E1B5C8E8
contains 04AD78C2
not valid
Transition: 4ad7
Protect: 6 - ReadWriteExecute
kd> !dc 4ad70000
Physical memory read at 4ad70000 failed
If you know the caching attributes used for the memory,
try specifying [c], [uc] or [wc], as in !dd [c] .
WARNING: Incorrect use of these flags will cause unpredictable
processor corruption. This may immediately (or at any time in
the future until reboot) result in a system hang, incorrect data
being displayed or other strange crashes and corruption.
kd> !dc 04AD78C2
# 4ad78c0 676e696f 206f7420 77656976 206e6920 oing to view in
# 4ad78d0 646e6977 6f206762 6874206e 6f682065 windbg on the ho
# 4ad78e0 0a0d7473 54200a0d 20736968 74207369 st… This is t
# 4ad78f0 66206568 20656c69 74616874 20657720 he file that we
# 4ad7900 20657261 6e696f67 6f742067 65697620 are going to vie
# 4ad7910 6e692077 6e697720 20676264 74206e6f w in windbg on t
# 4ad7920 68206568 0d74736f 200a0d0a 73696854 he host… This
# 4ad7930 20736920 20656874 656c6966 61687420 is the file tha
kd> !dc 04AD7800
# 4ad7800 6e697720 20676264 74206e6f 68206568 windbg on the h
# 4ad7810 0d74736f 200a0d0a 73696854 20736920 ost… This is
# 4ad7820 20656874 656c6966 61687420 65772074 the file that we
# 4ad7830 65726120 696f6720 7420676e 6976206f are going to vi
# 4ad7840 69207765 6977206e 6762646e 206e6f20 ew in windbg on
# 4ad7850 20656874 74736f68 0a0d0a0d 69685420 the host… Thi
# 4ad7860 73692073 65687420 6c696620 68742065 s is the file th
# 4ad7870 77207461 72612065 6f672065 20676e69 at we are going
kd> !dc 04AD7000
# 4ad7000 73696854 20736920 20656874 656c6966 This is the file
# 4ad7010 61687420 65772074 65726120 696f6720 that we are goi
# 4ad7020 7420676e 6976206f 69207765 6977206e ng to view in wi
# 4ad7030 6762646e 206e6f20 20656874 74736f68 ndbg on the host
# 4ad7040 0a0d0a0d 540a0d20 20736968 74207369 … …This is t
# 4ad7050 66206568 20656c69 74616874 20657720 he file that we
# 4ad7060 20657261 6e696f67 6f742067 65697620 are going to vie
# 4ad7070 6e692077 6e697720 20676264 74206e6f w in windbg on t

On 8/3/11, Pavel Lebedynskiy wrote:
> You can look at proto PTEs for the section and for those that are valid or
> transition, use !dc to dump the corresponding physical pages:
>
> lkd> !ca fffffa8006487f20
> …
> \Users\foo\Searches\desktop.ini
>
> Subsection 1 @ fffffa8006487f90
> …
> Base Pte fffff8a008f092a0 Ptes In Subsect 1 Unused Ptes
> 0
>
> lkd> dq fffff8a008f092a0
> fffff8a008f092a0 00000001476e28c0 0000000000000000<br>> fffff8a008f092b0 74536d4d03020002 fffff8828e5bf63c
>
> lkd> !pte fffff8a008f092a0 1
> VA fffff8a008f092a0
> PXE at FFFFF8A008F092A0 PPE at FFFFF8A008F092A0 PDE at
> FFFFF8A008F092A0 PTE at FFFFF8A008F092A0
> contains 00000001476E28C0
> not valid
> Transition: 1476e2
> Protect: 6 - ReadWriteExecute
>
> lkd> !dc 1476e2000
> #1476e2000 000dfeff 005b000a 0053002e 00650068 …[…S.h.e.
> #1476e2010 006c006c 006c0043 00730061 00490073 l.l.C.l.a.s.s.I.
> #1476e2020 0066006e 005d006f 000a000d 006f004c n.f.o.]…L.o.
> #1476e2030 00610063 0069006c 0065007a 00520064 c.a.l.i.z.e.d.R.
> #1476e2040 00730065 0075006f 00630072 004e0065 e.s.o.u.r.c.e.N.
> #1476e2050 006d0061 003d0065 00250040 00790053 a.m.e.=.@.%.S.y.
> #1476e2060 00740073 006d0065 006f0052 0074006f s.t.e.m.R.o.o.t.
> #1476e2070 005c0025 00790073 00740073 006d0065 %..s.y.s.t.e.m.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj
> Sent: Tuesday, August 02, 2011 10:28 AM
> To: Kernel Debugging Interest List
> Subject: Re:[windbg] dumping contents of .txt file
>
> here is a dump of another text file presumably opened by TaskScheduler
> Service
>
> but for a file with Shared cache map= null can we crawl around somehow ??
>
>
> nt!RtlpBreakWithStatusInstruction:
> 804e3592 cc int 3
>
> kd> $$>a< scripts/memu.txt txt
>
> <.shell waiting 10 second(s) for process>
> 811644a0 12 0 0 0 0 0 mapped_file( SchedLgU.Txt )
> .shell: Process exited
>
>
> kd> !ca 811644a0
>
> ControlArea @ 811644a0
> Segment e1548188 Flink 00000000 Blink 00000000
> Section Ref 1 Pfn Ref 3 Mapped Views 1
> User Ref 0 WaitForDel 0 Flush Count 0
> File Object ffbbeae0 ModWriteCount 0 System Views 1
>
> Flags (8008080) File WasPurged Accessed
>
> File: \WINDOWS\SchedLgU.Txt
>
> Segment @ e1548188
> ControlArea 811644a0 ExtendInfo 80cd4cd4
> Total Ptes 100
> WriteUserRef 0 SizeOfSegment 100000
> Committed 0 PTE Template 0
> Based Addr 80cd4cd4 Image Base 0
>
>
> Subsection 1 @ 811644d0
> ControlArea 811644a0 Starting Sector 0 Number Of Sectors 3
> Base Pte e1597620 Ptes In Subsect 3 Unused Ptes 0
> Flags 60 Sector Offset 0 Protection 6
> Flink 00000000 Blink 00000000 MappedViews 0
> SubsectionDataFlags 0
>
>
> kd> !fileobj ffbbeae0
>
> \WINDOWS\SchedLgU.Txt
>
> Device Object: 0x8126ee30 \Driver\Ftdisk
> Vpb: 0x8126ff38
> Event signalled
> Access: Read Write SharedRead
>
> Flags: 0xc1052
> Synchronous IO
> Write Through
> Cache Supported
> Modified
> Handle Created
> Fast IO Read
>
> Could not read memory for Irp List
> FsContext: 0xe15498d8 FsContext2: 0xe15d65f0 Private Cache Map: 0xffbbd598
> CurrentByteOffset: 254a
> Cache Data:
> Section Object Pointers: 81164514
> Shared Cache Map: ffbbd4c0 File Offset: 254a in VACB number 0
> Vacb: 81254128
> Your data is at: caf0254a
>
>
>
> kd> du caf00000 L?2600
> caf00000 “?“Task Scheduler Service”… Star”
> caf00040 “ted at 2/26/2010 8:37:18 PM…“Ta”
> caf00080 “sk Scheduler Service”… Exited a”
> caf000c0 "t 2/26/2010 8:49:48 PM…“Task Sc”
>
> cutoff the last but two entries in quick succession was done by me with net
> start scheduler net stop schedular and last but third with Sc Stop Scheduler
>
> caf02300 ““Task Scheduler Service”… Start”
> caf02340 “ed at 8/2/2011 3:38:38 PM…“Task”
> caf02380 " Scheduler Service”… Exited at "
> caf023c0 “8/2/2011 4:57:23 PM…“Task Sched”
> caf02400 “uler Service”… Started at 8/2/2”
> caf02440 "011 4:57:47 PM…“Task Scheduler “
> caf02480 “Service”… Exited at 8/2/2011 4:”
> caf024c0 “57:52 PM…“Task Scheduler Servic”
>
> so yes some txt files can be read
>
> how to read a txt file contents of my choice ??
> caf02500 “e”… Started at 8/2/2011 5:39:54”
> caf02540 " PM…[Most recent entry i"
> caf02580 "s above this line]…”
>
>
>
>
>
>
> “raj_r” wrote in message news:xxxxx@windbg…
>> from the below info how can i view the contents of the text file or
>> any other file whose shared cache map is NULL in windbg any ideas
>>
>> kd> .shell -ci “!memusage” grep -i “file_object.txt”
>> <.shell waiting 10 second(s) for process>
>> ffa6e4a8 0 8 0 0 0 0 mapped_file(
>> FILE_OBJECT.txt )
>> ffa6a508 0 4 0 0 0 0 mapped_file(
>> FILE_OBJECT.txt.lnk )
>> .shell: Process exited
>> kd> !ca ffa6e4a8
>>
>> ControlArea @ ffa6e4a8
>> Segment e1c35088 Flink ffa6d804 Blink 811abaac
>> Section Ref 0 Pfn Ref 2 Mapped Views 0
>> User Ref 0 WaitForDel 0 Flush Count 0
>> File Object ffa6dd38 ModWriteCount 0 System Views 0
>>
>> Flags (9008080) File WasPurged HadUserReference Accessed
>>
>> File: \Documents and Settings\rr\Desktop\FILE_OBJECT.txt
>>
>> Segment @ e1c35088
>> ControlArea ffa6e4a8 ExtendInfo 0171b4ca
>> Total Ptes 40
>> WriteUserRef 0 SizeOfSegment 40000
>> Committed 0 PTE Template 0
>> Based Addr 171b4ca Image Base 0
>>
>>
>> Subsection 1 @ ffa6e4d8
>> ControlArea ffa6e4a8 Starting Sector 0 Number Of Sectors 40
>> Base Pte e1c357c8 Ptes In Subsect 40 Unused Ptes 0
>> Flags 60 Sector Offset 0 Protection 6
>> Flink 00000000 Blink 00000000 MappedViews 0
>> SubsectionDataFlags 0
>>
>>
>> ntoskrnl.pdb doesnot have _MAPPED_FILE_SEGMENT struct in it i added it
>> to pdb manually using info from wild
>>
>> –
>> thanks and regards
>>
>> raj_r
>>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
thanks and regards

raj_r

raj_r · August 2, 2011, 11:13pm

kd> $$>a< scripts\memu.txt txt
<.shell waiting 10 second(s) for process>
<.shell running: .shell_quit to abandon, ENTER to wait>81167c08 12
0 0 0 0 0 mapped_file( SchedLgU.Txt )
8117e280 0 4 0 0 0 0 mapped_file(
FILE_OBJECT.txt.lnk )
8113e770 0 8 0 0 0 0 mapped_file( FILE_OBJECT.txt )
.shell: Process exited
!ca 81167c08
!ca 81167c08
kd> !ca 81167c08

ControlArea @ 81167c08
Segment e15403c8 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 3 Mapped Views 1
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffba87e8 ModWriteCount 0 System Views 1

Flags (8008080) File WasPurged Accessed

File: \WINDOWS\SchedLgU.Txt

Segment @ e15403c8
ControlArea 81167c08 ExtendInfo 80d0c4ce
Total Ptes 100
WriteUserRef 0 SizeOfSegment 100000
Committed 0 PTE Template 0
Based Addr 80d0c4ce Image Base 0

Subsection 1 @ 81167c38
ControlArea 81167c08 Starting Sector 0 Number Of Sectors 3
Base Pte e1594800 Ptes In Subsect 3 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0
kd> !finddata ffba87e8 0

FindData for FileObject ffba87e8 Section Object Pointers: 8116772c
Shared Cache Map: 81170d90 File Offset: 0 in VACB number 0
Vacb: 812541b8
Your data is at: cb000000

kd> du cb000000 l10
cb000000 “"Task Scheduler”
kd> !ca 8113e770

ControlArea @ 8113e770
Segment e14e8998 Flink 810be0f4 Blink ffa9bfa4
Section Ref 0 Pfn Ref 2 Mapped Views 0
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffb27bc8 ModWriteCount 0 System Views 0

Flags (9008080) File WasPurged HadUserReference Accessed

File: \Documents and Settings\rr\Desktop\FILE_OBJECT.txt

Segment @ e14e8998
ControlArea 8113e770 ExtendInfo 80a77cc8
Total Ptes 40
WriteUserRef 0 SizeOfSegment 40000
Committed 0 PTE Template 0
Based Addr 80a77cc8 Image Base 0

Subsection 1 @ 8113e7a0
ControlArea 8113e770 Starting Sector 0 Number Of Sectors 40
Base Pte e1b5c8e8 Ptes In Subsect 40 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0
kd> !finddata ffb27bc8 0

FindData for FileObject ffb27bc8 Section Object Pointers: ffb9c3dc
Shared Cache Map: 00000000Unable to read nt!_SHARED_CACHE_MAP at 00000000

kd> !pte e1b5c8e8 1
VA e1b5c8e8
PDE at E1B5C8E8 PTE at E1B5C8E8
contains 04AD78C2
not valid
Transition: 4ad7
Protect: 6 - ReadWriteExecute
kd> !dc 4ad70000
Physical memory read at 4ad70000 failed
If you know the caching attributes used for the memory,
try specifying [c], [uc] or [wc], as in !dd [c] .
WARNING: Incorrect use of these flags will cause unpredictable
processor corruption. This may immediately (or at any time in
the future until reboot) result in a system hang, incorrect data
being displayed or other strange crashes and corruption.
kd> !dc 04AD78C2
# 4ad78c0 676e696f 206f7420 77656976 206e6920 oing to view in
# 4ad78d0 646e6977 6f206762 6874206e 6f682065 windbg on the ho
# 4ad78e0 0a0d7473 54200a0d 20736968 74207369 st… This is t
# 4ad78f0 66206568 20656c69 74616874 20657720 he file that we
# 4ad7900 20657261 6e696f67 6f742067 65697620 are going to vie
# 4ad7910 6e692077 6e697720 20676264 74206e6f w in windbg on t
# 4ad7920 68206568 0d74736f 200a0d0a 73696854 he host… This
# 4ad7930 20736920 20656874 656c6966 61687420 is the file tha
kd> !dc 04AD7800
# 4ad7800 6e697720 20676264 74206e6f 68206568 windbg on the h
# 4ad7810 0d74736f 200a0d0a 73696854 20736920 ost… This is
# 4ad7820 20656874 656c6966 61687420 65772074 the file that we
# 4ad7830 65726120 696f6720 7420676e 6976206f are going to vi
# 4ad7840 69207765 6977206e 6762646e 206e6f20 ew in windbg on
# 4ad7850 20656874 74736f68 0a0d0a0d 69685420 the host… Thi
# 4ad7860 73692073 65687420 6c696620 68742065 s is the file th
# 4ad7870 77207461 72612065 6f672065 20676e69 at we are going
kd> !dc 04AD7000
# 4ad7000 73696854 20736920 20656874 656c6966 This is the file
# 4ad7010 61687420 65772074 65726120 696f6720 that we are goi
# 4ad7020 7420676e 6976206f 69207765 6977206e ng to view in wi
# 4ad7030 6762646e 206e6f20 20656874 74736f68 ndbg on the host
# 4ad7040 0a0d0a0d 540a0d20 20736968 74207369 … …This is t
# 4ad7050 66206568 20656c69 74616874 20657720 he file that we
# 4ad7060 20657261 6e696f67 6f742067 65697620 are going to vie
# 4ad7070 6e692077 6e697720 20676264 74206e6f w in windbg on t
kd> .ECHO THANKS A LOT Pavel Lebedynskiy
THANKS A LOT Pavel Lebedynskiy

On 8/3/11, Pavel Lebedynskiy wrote:
> You can look at proto PTEs for the section and for those that are valid or
> transition, use !dc to dump the corresponding physical pages:
>
> lkd> !ca fffffa8006487f20
> …
> \Users\foo\Searches\desktop.ini
>
> Subsection 1 @ fffffa8006487f90
> …
> Base Pte fffff8a008f092a0 Ptes In Subsect 1 Unused Ptes
> 0
>
> lkd> dq fffff8a008f092a0
> fffff8a008f092a0 00000001476e28c0 0000000000000000<br>> fffff8a008f092b0 74536d4d03020002 fffff8828e5bf63c
>
> lkd> !pte fffff8a008f092a0 1
> VA fffff8a008f092a0
> PXE at FFFFF8A008F092A0 PPE at FFFFF8A008F092A0 PDE at
> FFFFF8A008F092A0 PTE at FFFFF8A008F092A0
> contains 00000001476E28C0
> not valid
> Transition: 1476e2
> Protect: 6 - ReadWriteExecute
>
> lkd> !dc 1476e2000
> #1476e2000 000dfeff 005b000a 0053002e 00650068 …[…S.h.e.
> #1476e2010 006c006c 006c0043 00730061 00490073 l.l.C.l.a.s.s.I.
> #1476e2020 0066006e 005d006f 000a000d 006f004c n.f.o.]…L.o.
> #1476e2030 00610063 0069006c 0065007a 00520064 c.a.l.i.z.e.d.R.
> #1476e2040 00730065 0075006f 00630072 004e0065 e.s.o.u.r.c.e.N.
> #1476e2050 006d0061 003d0065 00250040 00790053 a.m.e.=.@.%.S.y.
> #1476e2060 00740073 006d0065 006f0052 0074006f s.t.e.m.R.o.o.t.
> #1476e2070 005c0025 00790073 00740073 006d0065 %..s.y.s.t.e.m.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj
> Sent: Tuesday, August 02, 2011 10:28 AM
> To: Kernel Debugging Interest List
> Subject: Re:[windbg] dumping contents of .txt file
>
> here is a dump of another text file presumably opened by TaskScheduler
> Service
>
> but for a file with Shared cache map= null can we crawl around somehow ??
>
>
> nt!RtlpBreakWithStatusInstruction:
> 804e3592 cc int 3
>
> kd> $$>a< scripts/memu.txt txt
>
> <.shell waiting 10 second(s) for process>
> 811644a0 12 0 0 0 0 0 mapped_file( SchedLgU.Txt )
> .shell: Process exited
>
>
> kd> !ca 811644a0
>
> ControlArea @ 811644a0
> Segment e1548188 Flink 00000000 Blink 00000000
> Section Ref 1 Pfn Ref 3 Mapped Views 1
> User Ref 0 WaitForDel 0 Flush Count 0
> File Object ffbbeae0 ModWriteCount 0 System Views 1
>
> Flags (8008080) File WasPurged Accessed
>
> File: \WINDOWS\SchedLgU.Txt
>
> Segment @ e1548188
> ControlArea 811644a0 ExtendInfo 80cd4cd4
> Total Ptes 100
> WriteUserRef 0 SizeOfSegment 100000
> Committed 0 PTE Template 0
> Based Addr 80cd4cd4 Image Base 0
>
>
> Subsection 1 @ 811644d0
> ControlArea 811644a0 Starting Sector 0 Number Of Sectors 3
> Base Pte e1597620 Ptes In Subsect 3 Unused Ptes 0
> Flags 60 Sector Offset 0 Protection 6
> Flink 00000000 Blink 00000000 MappedViews 0
> SubsectionDataFlags 0
>
>
> kd> !fileobj ffbbeae0
>
> \WINDOWS\SchedLgU.Txt
>
> Device Object: 0x8126ee30 \Driver\Ftdisk
> Vpb: 0x8126ff38
> Event signalled
> Access: Read Write SharedRead
>
> Flags: 0xc1052
> Synchronous IO
> Write Through
> Cache Supported
> Modified
> Handle Created
> Fast IO Read
>
> Could not read memory for Irp List
> FsContext: 0xe15498d8 FsContext2: 0xe15d65f0 Private Cache Map: 0xffbbd598
> CurrentByteOffset: 254a
> Cache Data:
> Section Object Pointers: 81164514
> Shared Cache Map: ffbbd4c0 File Offset: 254a in VACB number 0
> Vacb: 81254128
> Your data is at: caf0254a
>
>
>
> kd> du caf00000 L?2600
> caf00000 “?“Task Scheduler Service”… Star”
> caf00040 “ted at 2/26/2010 8:37:18 PM…“Ta”
> caf00080 “sk Scheduler Service”… Exited a”
> caf000c0 "t 2/26/2010 8:49:48 PM…“Task Sc”
>
> cutoff the last but two entries in quick succession was done by me with net
> start scheduler net stop schedular and last but third with Sc Stop Scheduler
>
> caf02300 ““Task Scheduler Service”… Start”
> caf02340 “ed at 8/2/2011 3:38:38 PM…“Task”
> caf02380 " Scheduler Service”… Exited at "
> caf023c0 “8/2/2011 4:57:23 PM…“Task Sched”
> caf02400 “uler Service”… Started at 8/2/2”
> caf02440 "011 4:57:47 PM…“Task Scheduler “
> caf02480 “Service”… Exited at 8/2/2011 4:”
> caf024c0 “57:52 PM…“Task Scheduler Servic”
>
> so yes some txt files can be read
>
> how to read a txt file contents of my choice ??
> caf02500 “e”… Started at 8/2/2011 5:39:54”
> caf02540 " PM…[Most recent entry i"
> caf02580 "s above this line]…”
>
>
>
>
>
>
> “raj_r” wrote in message news:xxxxx@windbg…
>> from the below info how can i view the contents of the text file or
>> any other file whose shared cache map is NULL in windbg any ideas
>>
>> kd> .shell -ci “!memusage” grep -i “file_object.txt”
>> <.shell waiting 10 second(s) for process>
>> ffa6e4a8 0 8 0 0 0 0 mapped_file(
>> FILE_OBJECT.txt )
>> ffa6a508 0 4 0 0 0 0 mapped_file(
>> FILE_OBJECT.txt.lnk )
>> .shell: Process exited
>> kd> !ca ffa6e4a8
>>
>> ControlArea @ ffa6e4a8
>> Segment e1c35088 Flink ffa6d804 Blink 811abaac
>> Section Ref 0 Pfn Ref 2 Mapped Views 0
>> User Ref 0 WaitForDel 0 Flush Count 0
>> File Object ffa6dd38 ModWriteCount 0 System Views 0
>>
>> Flags (9008080) File WasPurged HadUserReference Accessed
>>
>> File: \Documents and Settings\rr\Desktop\FILE_OBJECT.txt
>>
>> Segment @ e1c35088
>> ControlArea ffa6e4a8 ExtendInfo 0171b4ca
>> Total Ptes 40
>> WriteUserRef 0 SizeOfSegment 40000
>> Committed 0 PTE Template 0
>> Based Addr 171b4ca Image Base 0
>>
>>
>> Subsection 1 @ ffa6e4d8
>> ControlArea ffa6e4a8 Starting Sector 0 Number Of Sectors 40
>> Base Pte e1c357c8 Ptes In Subsect 40 Unused Ptes 0
>> Flags 60 Sector Offset 0 Protection 6
>> Flink 00000000 Blink 00000000 MappedViews 0
>> SubsectionDataFlags 0
>>
>>
>> ntoskrnl.pdb doesnot have _MAPPED_FILE_SEGMENT struct in it i added it
>> to pdb manually using info from wild
>>
>> –
>> thanks and regards
>>
>> raj_r
>>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
thanks and regards

raj_r

raj_r · August 3, 2011, 12:18am

So we Now find the contents of some obscure file still lingering in memory
after several reboots ?

can we piece together the whole file ??

i see this dumped file lingering in memory ?? hyperspacce?? matrix

so how i can go about piecing together the whole file

Dumping with !dc Address L Some length doesnt seem to fetch continous pages
after one section ie pe header

so how to follow the trail ??

kd> ${usc}memu.txt msgbox
<.shell waiting 10 second(s) for process>
8115cce0 0 4 0 0 0 0 mapped_file(
msgbox_dump.exe )
8115c508 0 4 0 0 0 0 mapped_file(
msgbox_dumpmod.exe )
.shell: Process exited
kd> !ca 8115cce0

ControlArea @ 8115cce0
Segment e1040968 Flink 810b00ec Blink 8115c50c
Section Ref 0 Pfn Ref 1 Mapped Views 0
User Ref 0 WaitForDel 0 Flush Count 0
File Object 81195998 ModWriteCount 0 System Views 0

Flags (9008080) File WasPurged HadUserReference Accessed

File: \Documents and Settings\rr\Desktop\msgbox_dump.exe

Segment @ e1040968
ControlArea 8115cce0 ExtendInfo 80c5d4c4
Total Ptes 40
WriteUserRef 0 SizeOfSegment 40000
Committed 0 PTE Template 0
Based Addr 80c5d4c4 Image Base 0

Subsection 1 @ 8115cd10
ControlArea 8115cce0 Starting Sector 0 Number Of Sectors 4
Base Pte e15ac428 Ptes In Subsect 4 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0
kd> !pte e15ac428 1
VA e15ac428
PDE at E15AC428 PTE at E15AC428
contains 01B658C2
not valid
Transition: 1b65
Protect: 6 - ReadWriteExecute
kd> !dc 1b65000

1b65000 00905a4d 00000003 00000004 0000ffff MZ…

1b65010 000000b8 00000000 00000040 00000000 …@…

1b65020 00000000 00000000 00000000 00000000 …

1b65030 00000000 00000000 00000000 000000b0 …

1b65040 0eba1f0e cd09b400 4c01b821 685421cd …!..L.!Th

1b65050 70207369 72676f72 63206d61 6f6e6e61 is program canno

1b65060 65622074 6e757220 206e6920 20534f44 t be run in DOS

1b65070 65646f6d 0a0d0d2e 00000024 00000000 mode…$…

kd> .echo thanks pavel lebedynskiy
thanks pavel lebedynskiy
kd> !finddata 81195998 0

FindData for FileObject 81195998 Section Object Pointers: 8119deac
Shared Cache Map: 00000000Unable to read nt!_SHARED_CACHE_MAP at 00000000

“raj_r” wrote in message news:xxxxx@windbg…
kd> $$>a< scripts\memu.txt txt
<.shell waiting 10 second(s) for process>
<.shell running: .shell_quit to abandon, ENTER to wait>81167c08 12
0 0 0 0 0 mapped_file( SchedLgU.Txt )
8117e280 0 4 0 0 0 0 mapped_file(
FILE_OBJECT.txt.lnk )
8113e770 0 8 0 0 0 0 mapped_file(
FILE_OBJECT.txt )
.shell: Process exited
!ca 81167c08
!ca 81167c08
kd> !ca 81167c08

ControlArea @ 81167c08
Segment e15403c8 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 3 Mapped Views 1
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffba87e8 ModWriteCount 0 System Views 1

Flags (8008080) File WasPurged Accessed

File: \WINDOWS\SchedLgU.Txt

Segment @ e15403c8
ControlArea 81167c08 ExtendInfo 80d0c4ce
Total Ptes 100
WriteUserRef 0 SizeOfSegment 100000
Committed 0 PTE Template 0
Based Addr 80d0c4ce Image Base 0

Subsection 1 @ 81167c38
ControlArea 81167c08 Starting Sector 0 Number Of Sectors 3
Base Pte e1594800 Ptes In Subsect 3 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0
kd> !finddata ffba87e8 0

FindData for FileObject ffba87e8 Section Object Pointers: 8116772c
Shared Cache Map: 81170d90 File Offset: 0 in VACB number 0
Vacb: 812541b8
Your data is at: cb000000

kd> du cb000000 l10
cb000000 "?“Task Scheduler”
kd> !ca 8113e770

ControlArea @ 8113e770
Segment e14e8998 Flink 810be0f4 Blink ffa9bfa4
Section Ref 0 Pfn Ref 2 Mapped Views 0
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffb27bc8 ModWriteCount 0 System Views 0

Flags (9008080) File WasPurged HadUserReference Accessed

File: \Documents and Settings\rr\Desktop\FILE_OBJECT.txt

Segment @ e14e8998
ControlArea 8113e770 ExtendInfo 80a77cc8
Total Ptes 40
WriteUserRef 0 SizeOfSegment 40000
Committed 0 PTE Template 0
Based Addr 80a77cc8 Image Base 0

Subsection 1 @ 8113e7a0
ControlArea 8113e770 Starting Sector 0 Number Of Sectors 40
Base Pte e1b5c8e8 Ptes In Subsect 40 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0
kd> !finddata ffb27bc8 0

FindData for FileObject ffb27bc8 Section Object Pointers: ffb9c3dc
Shared Cache Map: 00000000Unable to read nt!_SHARED_CACHE_MAP at 00000000

kd> !pte e1b5c8e8 1
VA e1b5c8e8
PDE at E1B5C8E8 PTE at E1B5C8E8
contains 04AD78C2
not valid
Transition: 4ad7
Protect: 6 - ReadWriteExecute
kd> !dc 4ad70000
Physical memory read at 4ad70000 failed
If you know the caching attributes used for the memory,
try specifying [c], [uc] or [wc], as in !dd [c] .
WARNING: Incorrect use of these flags will cause unpredictable
processor corruption. This may immediately (or at any time in
the future until reboot) result in a system hang, incorrect data
being displayed or other strange crashes and corruption.
kd> !dc 04AD78C2
# 4ad78c0 676e696f 206f7420 77656976 206e6920 oing to view in
# 4ad78d0 646e6977 6f206762 6874206e 6f682065 windbg on the ho
# 4ad78e0 0a0d7473 54200a0d 20736968 74207369 st… This is t
# 4ad78f0 66206568 20656c69 74616874 20657720 he file that we
# 4ad7900 20657261 6e696f67 6f742067 65697620 are going to vie
# 4ad7910 6e692077 6e697720 20676264 74206e6f w in windbg on t
# 4ad7920 68206568 0d74736f 200a0d0a 73696854 he host… This
# 4ad7930 20736920 20656874 656c6966 61687420 is the file tha
kd> !dc 04AD7800
# 4ad7800 6e697720 20676264 74206e6f 68206568 windbg on the h
# 4ad7810 0d74736f 200a0d0a 73696854 20736920 ost… This is
# 4ad7820 20656874 656c6966 61687420 65772074 the file that we
# 4ad7830 65726120 696f6720 7420676e 6976206f are going to vi
# 4ad7840 69207765 6977206e 6762646e 206e6f20 ew in windbg on
# 4ad7850 20656874 74736f68 0a0d0a0d 69685420 the host… Thi
# 4ad7860 73692073 65687420 6c696620 68742065 s is the file th
# 4ad7870 77207461 72612065 6f672065 20676e69 at we are going
kd> !dc 04AD7000
# 4ad7000 73696854 20736920 20656874 656c6966 This is the file
# 4ad7010 61687420 65772074 65726120 696f6720 that we are goi
# 4ad7020 7420676e 6976206f 69207765 6977206e ng to view in wi
# 4ad7030 6762646e 206e6f20 20656874 74736f68 ndbg on the host
# 4ad7040 0a0d0a0d 540a0d20 20736968 74207369 … …This is t
# 4ad7050 66206568 20656c69 74616874 20657720 he file that we
# 4ad7060 20657261 6e696f67 6f742067 65697620 are going to vie
# 4ad7070 6e692077 6e697720 20676264 74206e6f w in windbg on t
kd> .ECHO THANKS A LOT Pavel Lebedynskiy
THANKS A LOT Pavel Lebedynskiy

On 8/3/11, Pavel Lebedynskiy wrote:
> You can look at proto PTEs for the section and for those that are valid or
> transition, use !dc to dump the corresponding physical pages:
>
> lkd> !ca fffffa8006487f20
> …
> \Users\foo\Searches\desktop.ini
>
> Subsection 1 @ fffffa8006487f90
> …
> Base Pte fffff8a008f092a0 Ptes In Subsect 1 Unused Ptes
> 0
>
> lkd> dq fffff8a008f092a0
> fffff8a008f092a0 00000001476e28c0 0000000000000000<br>> fffff8a008f092b0 74536d4d03020002 fffff8828e5bf63c
>
> lkd> !pte fffff8a008f092a0 1
> VA fffff8a008f092a0
> PXE at FFFFF8A008F092A0 PPE at FFFFF8A008F092A0 PDE at
> FFFFF8A008F092A0 PTE at FFFFF8A008F092A0
> contains 00000001476E28C0
> not valid
> Transition: 1476e2
> Protect: 6 - ReadWriteExecute
>
> lkd> !dc 1476e2000
> #1476e2000 000dfeff 005b000a 0053002e 00650068 …[…S.h.e.
> #1476e2010 006c006c 006c0043 00730061 00490073 l.l.C.l.a.s.s.I.
> #1476e2020 0066006e 005d006f 000a000d 006f004c n.f.o.]…L.o.
> #1476e2030 00610063 0069006c 0065007a 00520064 c.a.l.i.z.e.d.R.
> #1476e2040 00730065 0075006f 00630072 004e0065 e.s.o.u.r.c.e.N.
> #1476e2050 006d0061 003d0065 00250040 00790053 a.m.e.=.@.%.S.y.
> #1476e2060 00740073 006d0065 006f0052 0074006f s.t.e.m.R.o.o.t.
> #1476e2070 005c0025 00790073 00740073 006d0065 %..s.y.s.t.e.m.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj
> Sent: Tuesday, August 02, 2011 10:28 AM
> To: Kernel Debugging Interest List
> Subject: Re:[windbg] dumping contents of .txt file
>
> here is a dump of another text file presumably opened by TaskScheduler
> Service
>
> but for a file with Shared cache map= null can we crawl around somehow ??
>
>
> nt!RtlpBreakWithStatusInstruction:
> 804e3592 cc int 3
>
> kd> $$>a< scripts/memu.txt txt
>
> <.shell waiting 10 second(s) for process>
> 811644a0 12 0 0 0 0 0 mapped_file( SchedLgU.Txt )
> .shell: Process exited
>
>
> kd> !ca 811644a0
>
> ControlArea @ 811644a0
> Segment e1548188 Flink 00000000 Blink 00000000
> Section Ref 1 Pfn Ref 3 Mapped Views 1
> User Ref 0 WaitForDel 0 Flush Count 0
> File Object ffbbeae0 ModWriteCount 0 System Views 1
>
> Flags (8008080) File WasPurged Accessed
>
> File: \WINDOWS\SchedLgU.Txt
>
> Segment @ e1548188
> ControlArea 811644a0 ExtendInfo 80cd4cd4
> Total Ptes 100
> WriteUserRef 0 SizeOfSegment 100000
> Committed 0 PTE Template 0
> Based Addr 80cd4cd4 Image Base 0
>
>
> Subsection 1 @ 811644d0
> ControlArea 811644a0 Starting Sector 0 Number Of Sectors 3
> Base Pte e1597620 Ptes In Subsect 3 Unused Ptes 0
> Flags 60 Sector Offset 0 Protection 6
> Flink 00000000 Blink 00000000 MappedViews 0
> SubsectionDataFlags 0
>
>
> kd> !fileobj ffbbeae0
>
> \WINDOWS\SchedLgU.Txt
>
> Device Object: 0x8126ee30 \Driver\Ftdisk
> Vpb: 0x8126ff38
> Event signalled
> Access: Read Write SharedRead
>
> Flags: 0xc1052
> Synchronous IO
> Write Through
> Cache Supported
> Modified
> Handle Created
> Fast IO Read
>
> Could not read memory for Irp List
> FsContext: 0xe15498d8 FsContext2: 0xe15d65f0 Private Cache Map: 0xffbbd598
> CurrentByteOffset: 254a
> Cache Data:
> Section Object Pointers: 81164514
> Shared Cache Map: ffbbd4c0 File Offset: 254a in VACB number 0
> Vacb: 81254128
> Your data is at: caf0254a
>
>
>
> kd> du caf00000 L?2600
> caf00000 “?“Task Scheduler Service”… Star”
> caf00040 “ted at 2/26/2010 8:37:18 PM…“Ta”
> caf00080 “sk Scheduler Service”… Exited a”
> caf000c0 "t 2/26/2010 8:49:48 PM…“Task Sc”
>
> cutoff the last but two entries in quick succession was done by me with
> net
> start scheduler net stop schedular and last but third with Sc Stop
> Scheduler
>
> caf02300 ““Task Scheduler Service”… Start”
> caf02340 “ed at 8/2/2011 3:38:38 PM…“Task”
> caf02380 " Scheduler Service”… Exited at "
> caf023c0 “8/2/2011 4:57:23 PM…“Task Sched”
> caf02400 “uler Service”… Started at 8/2/2”
> caf02440 "011 4:57:47 PM…“Task Scheduler “
> caf02480 “Service”… Exited at 8/2/2011 4:”
> caf024c0 “57:52 PM…“Task Scheduler Servic”
>
> so yes some txt files can be read
>
> how to read a txt file contents of my choice ??
> caf02500 “e”… Started at 8/2/2011 5:39:54”
> caf02540 " PM…[Most recent entry i"
> caf02580 "s above this line]…”
>
>
>
>
>
>
> “raj_r” wrote in message news:xxxxx@windbg…
>> from the below info how can i view the contents of the text file or
>> any other file whose shared cache map is NULL in windbg any ideas
>>
>> kd> .shell -ci “!memusage” grep -i “file_object.txt”
>> <.shell waiting 10 second(s) for process>
>> ffa6e4a8 0 8 0 0 0 0 mapped_file(
>> FILE_OBJECT.txt )
>> ffa6a508 0 4 0 0 0 0 mapped_file(
>> FILE_OBJECT.txt.lnk )
>> .shell: Process exited
>> kd> !ca ffa6e4a8
>>
>> ControlArea @ ffa6e4a8
>> Segment e1c35088 Flink ffa6d804 Blink 811abaac
>> Section Ref 0 Pfn Ref 2 Mapped Views 0
>> User Ref 0 WaitForDel 0 Flush Count 0
>> File Object ffa6dd38 ModWriteCount 0 System Views 0
>>
>> Flags (9008080) File WasPurged HadUserReference Accessed
>>
>> File: \Documents and Settings\rr\Desktop\FILE_OBJECT.txt
>>
>> Segment @ e1c35088
>> ControlArea ffa6e4a8 ExtendInfo 0171b4ca
>> Total Ptes 40
>> WriteUserRef 0 SizeOfSegment 40000
>> Committed 0 PTE Template 0
>> Based Addr 171b4ca Image Base 0
>>
>>
>> Subsection 1 @ ffa6e4d8
>> ControlArea ffa6e4a8 Starting Sector 0 Number Of Sectors 40
>> Base Pte e1c357c8 Ptes In Subsect 40 Unused Ptes 0
>> Flags 60 Sector Offset 0 Protection 6
>> Flink 00000000 Blink 00000000 MappedViews 0
>> SubsectionDataFlags 0
>>
>>
>> ntoskrnl.pdb doesnot have _MAPPED_FILE_SEGMENT struct in it i added it
>> to pdb manually using info from wild
>>
>> –
>> thanks and regards
>>
>> raj_r
>>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
thanks and regards

raj_r

OSR_Community_User · August 3, 2011, 9:28am

> Flags (9008080) File WasPurged HadUserReference Accessed

File WasPurged

…from memory?

No wonder it’s hard trying to puzzle its pages together from the dump
file.

Tim_Roberts · August 3, 2011, 12:39pm

raj wrote:

So we Now find the contents of some obscure file still lingering in memory
after several reboots ?

can we piece together the whole file ??

i see this dumped file lingering in memory ?? hyperspacce?? matrix

It’s not impossible. As long as the RAM has not lost power, the
previous contents will be retained.

so how i can go about piecing together the whole file

You can’t, without scanning the dump by hand and looking for related
text strings. In a 4GB dump file, that’s going to be a hell of a job.

Dumping with !dc Address L Some length doesnt seem to fetch continous pages
after one section ie pe header

Of course not. !dc dumps physical pages. After your system has run for
a few minutes, it is extremely rare to find two consecutive virtual
pages that reside on consecutive physical pages.

so how to follow the trail ??

There is no “trail”. There’s just a few bytes of memory here and there.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

raj_r · August 4, 2011, 3:06am

Thanks Tim

It’s not impossible. As long as the RAM has not lost power, the
previous contents will be retained.

I Meant after pulling the plug off the host and opening the vm after a few days
i see the file refernaced in !memusage

see i had shut down the host last night and i started it now and opened the vm

and i see the file in !memusage list and it seems to valid

kd> $$>a< scripts\memu.txt msgbox
<.shell waiting 10 second(s) for process>
81145498 0 4 0 0 0 0 mapped_file( msgbox_dumpmod.exe )
ffb89e90 0 4 0 0 0 0 mapped_file( msgbox_dump.exe )
.shell: Process exited
kd> !ca 81145498

ControlArea @ 81145498
Segment e1121478 Flink ffb89e94 Blink ffb3540c
Section Ref 0 Pfn Ref 1 Mapped Views 0
User Ref 0 WaitForDel 0 Flush Count 0
File Object 811a0600 ModWriteCount 0 System Views 0

Flags (9008080) File WasPurged HadUserReference Accessed

File: \Documents and Settings\rr\Desktop\msgbox_dumpmod.exe

Segment @ e1121478
ControlArea 81145498 ExtendInfo 80ae4cd2
Total Ptes 40
WriteUserRef 0 SizeOfSegment 40000
Committed 0 PTE Template 0
Based Addr 80ae4cd2 Image Base 0

Subsection 1 @ 811454c8
ControlArea 81145498 Starting Sector 0 Number Of Sectors 40
Base Pte e1128940 Ptes In Subsect 40 Unused Ptes 0
Flags 60 Sector Offset 0 Protection 6
Flink 00000000 Blink 00000000 MappedViews 0
SubsectionDataFlags 0
kd> !finddata 811a0600 0

FindData for FileObject 811a0600 Section Object Pointers: 811d5564
Shared Cache Map: 00000000Unable to read nt!_SHARED_CACHE_MAP at 00000000

kd> !pte e1128940 1
VA e1128940
PDE at E1128940 PTE at E1128940
contains 0369C8C2
not valid
Transition: 369c
Protect: 6 - ReadWriteExecute
kd> !dc 369c000

369c000 00905a4d 00000003 00000004 0000ffff MZ…

369c010 000000b8 00000000 00000040 00000000 …@…

369c020 00000000 00000000 00000000 00000000 …

369c030 00000000 00000000 00000000 000000b0 …

369c040 0eba1f0e cd09b400 4c01b821 685421cd …!..L.!Th

369c050 70207369 72676f72 63206d61 6f6e6e61 is program canno

369c060 65622074 6e757220 206e6920 20534f44 t be run in DOS

369c070 65646f6d 0a0d0d2e 00000024 00000000 mode…$…

kd> dt -p nt!_IMAGE_DOS_HEADER 369c000
+0x000 e_magic : 0x5a4d
+0x002 e_cblp : 0x90
+0x004 e_cp : 3
+0x006 e_crlc : 0
+0x008 e_cparhdr : 4
+0x00a e_minalloc : 0
+0x00c e_maxalloc : 0xffff
+0x00e e_ss : 0
+0x010 e_sp : 0xb8
+0x012 e_csum : 0
+0x014 e_ip : 0
+0x016 e_cs : 0
+0x018 e_lfarlc : 0x40
+0x01a e_ovno : 0
+0x01c e_res : [4] 0
+0x024 e_oemid : 0
+0x026 e_oeminfo : 0
+0x028 e_res2 : [10] 0
+0x03c e_lfanew : 0n176
kd> dt -p -r nt!_IMAGE_NT_HEADERS 369c000+0n176
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x000 Machine : 0x14c
+0x002 NumberOfSections : 3
+0x004 TimeDateStamp : 0x4e1da1cf
+0x008 PointerToSymbolTable : 0
+0x00c NumberOfSymbols : 0
+0x010 SizeOfOptionalHeader : 0xe0
+0x012 Characteristics : 0x10f
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
+0x000 Magic : 0x10b
+0x002 MajorLinkerVersion : 0x5 ‘’
+0x003 MinorLinkerVersion : 0xc ‘’
+0x004 SizeOfCode : 0x200
+0x008 SizeOfInitializedData : 0x400
+0x00c SizeOfUninitializedData : 0
+0x010 AddressOfEntryPoint : 0x1000
+0x014 BaseOfCode : 0x1000
+0x018 BaseOfData : 0x2000
+0x01c ImageBase : 0x400000
+0x020 SectionAlignment : 0x1000
+0x024 FileAlignment : 0x200
+0x028 MajorOperatingSystemVersion : 4
+0x02a MinorOperatingSystemVersion : 0
+0x02c MajorImageVersion : 0
+0x02e MinorImageVersion : 0
+0x030 MajorSubsystemVersion : 4
+0x032 MinorSubsystemVersion : 0
+0x034 Win32VersionValue : 0
+0x038 SizeOfImage : 0x4000
+0x03c SizeOfHeaders : 0x400
+0x040 CheckSum : 0
+0x044 Subsystem : 2
+0x046 DllCharacteristics : 0
+0x048 SizeOfStackReserve : 0x100000
+0x04c SizeOfStackCommit : 0x1000
+0x050 SizeOfHeapReserve : 0x100000
+0x054 SizeOfHeapCommit : 0x1000
+0x058 LoaderFlags : 0
+0x05c NumberOfRvaAndSizes : 0x10
+0x060 DataDirectory : [16] _IMAGE_DATA_DIRECTORY
+0x000 VirtualAddress : 0
+0x004 Size : 0

that is i dumped it out of physical address
so i was looking for the missing sections

and wanting to know why it is showing up in !memusage list

On 8/3/11, Tim Roberts wrote:
> raj wrote:
>> So we Now find the contents of some obscure file still lingering in memory
>> after several reboots ?
>>
>> can we piece together the whole file ??
>>
>> i see this dumped file lingering in memory ?? hyperspacce?? matrix
>
> It’s not impossible. As long as the RAM has not lost power, the
> previous contents will be retained.
>
>> so how i can go about piecing together the whole file
>
> You can’t, without scanning the dump by hand and looking for related
> text strings. In a 4GB dump file, that’s going to be a hell of a job.
>
>> Dumping with !dc Address L Some length doesnt seem to fetch continous
>> pages
>> after one section ie pe header
>
> Of course not. !dc dumps physical pages. After your system has run for
> a few minutes, it is extremely rare to find two consecutive virtual
> pages that reside on consecutive physical pages.
>
>> so how to follow the trail ??
>
> There is no “trail”. There’s just a few bytes of memory here and there.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
thanks and regards

raj_r

Tim_Roberts · August 4, 2011, 1:03pm

raj_r wrote:

> It’s not impossible. As long as the RAM has not lost power, the
> previous contents will be retained.
I Meant after pulling the plug off the host and opening the vm after a few days
i see the file refernaced in !memusage

see i had shut down the host last night and i started it now and opened the vm

and i see the file in !memusage list and it seems to valid

You hadn’t mentioned before that you were working with a VM. You are
aware, I presume, that the memory for a VM is actually stored in a disk
file. When you resume the VM, the memory image comes right back from disk.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

raj_r · August 4, 2011, 1:11pm

Thanks tim

I guessed so but still i wonder why it doesn’t go even after several weeks
even after i reduce the page file size to half of the ram i allotted for vm
and i allotted a meager 100 mb ram for xp
the mapped file entry still exists there

On 8/4/11, Tim Roberts wrote:
> raj_r wrote:
>>
>>> It’s not impossible. As long as the RAM has not lost power, the
>>> previous contents will be retained.
>> I Meant after pulling the plug off the host and opening the vm after a few
>> days
>> i see the file refernaced in !memusage
>>
>> see i had shut down the host last night and i started it now and opened
>> the vm
>>
>> and i see the file in !memusage list and it seems to valid
>
> You hadn’t mentioned before that you were working with a VM. You are
> aware, I presume, that the memory for a VM is actually stored in a disk
> file. When you resume the VM, the memory image comes right back from disk.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
thanks and regards

raj_r

Tim_Roberts · August 4, 2011, 1:17pm

raj_r wrote:

I guessed so but still i wonder why it doesn’t go even after several weeks
even after i reduce the page file size to half of the ram i allotted for vm
and i allotted a meager 100 mb ram for xp
the mapped file entry still exists there

The behavior of physical pages in a virtual memory system is very
difficult to model. It may even be chaotic. Consider, for example,
what would happen if the page manager used a first-in-first-out scheme
for storing and reusing freed pages. In that case, if there were an
event that caused a lot of pages to go free, the first pages to go might
stay on the free list for a very long time without getting reused.

I’m not saying that’s how the Windows page manager is implemented – I’m
merely pointing out that there are feasible designs that could cause the
behavior you are seeing.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim_Roberts · August 4, 2011, 1:19pm

Tim Roberts wrote:

The behavior of physical pages in a virtual memory system is very
difficult to model. It may even be chaotic. Consider, for example,
what would happen if the page manager used a first-in-first-out scheme
for storing and reusing freed pages…

Of course, the scenario I quote here actually applies to a
LAST-in-first-out scheme…

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · August 4, 2011, 5:05pm

It seems things have not changed much. Back in the 1960s, I was having to
locating missing records in ISAM databases by reading the hexadecimal dumps
of OS/360. The idea was that if we knew what records were left behind, we
might have some idea how the users were triggering errors like access
faults.

And in the 1970s, one of our support people was an expert at patching disks
back together after a crash garbaged the root directory (we didn’t have the
notion of transacted files or directories in those days).

In the late 1970s, MS-DOS trashed my hard drive hours before I was scheduled
to go to a client site, and although I did daily backups, I was about to
lose a whole day of intensive editing. I pieced together the files from the
traces left on the disk. Not one of my more fun evenings.

Largely, the answer to the question about pieceing together the file is Not
A Chance. You might find random text left in memory, but the relationship
of that random text to the disk has been obliterated. You could find pages
that have already been committed to disk but not reused, pieces that have
not yet been committed, etc., and note that the “file” on the disk might
have reverted to the pre-modification copy rather than the modified copy
because the “transaction” that updated the directory to reflect the new file
has been aborted due to the reboot.

Also, you have no idea what “generation” the random data is: is it from the
most recent reboot, or six reboots back? At what point are you seeing it
(after the reboot completes or by getting a boot-time driver to run early on
in the boot process, which is fairly late as far as preserving memory
contents goes). This doesn’t even begin to address questions like if the
file was compressed or encrypted (or both) and what you are seeing is
plaintext (hint: this is actually a security hole, which many hyperaware
security experts already know about).

Bottom line: if you care about the file contents, deal with it in some other
way. For example, turn off file buffering for that file, and write it out
in 512-byte chunks aligned on 512-byte boundaries, and open the file right
before starting the write and close it immediately after the write. These
make logging a bit more robust, with a serious performance penalty. But in
general, you can assume that memory is random garbage and if you should be
so fortunate as to recognize ANYTHING in the memory dump, you treat that as
a low-probability event.

One of the exercises worth thinking about is how to implement a robust
transacted file system in an environment which does not already have a
robust transacted file system (these ideas date back to the 1970s, when I
first encountered them). Hoping to re-create anything from whatever might
be left in RAM after a reboot is essentially a pointless exercise.
joe

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Wednesday, August 03, 2011 12:39 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Re:dumping contents of .txt file

raj wrote:

So we Now find the contents of some obscure file still lingering in memory
after several reboots ?

can we piece together the whole file ??

i see this dumped file lingering in memory ?? hyperspacce?? matrix

It’s not impossible. As long as the RAM has not lost power, the
previous contents will be retained.

so how i can go about piecing together the whole file

You can’t, without scanning the dump by hand and looking for related
text strings. In a 4GB dump file, that’s going to be a hell of a job.

Dumping with !dc Address L Some length doesnt seem to fetch continous
pages
after one section ie pe header

Of course not. !dc dumps physical pages. After your system has run for
a few minutes, it is extremely rare to find two consecutive virtual
pages that reside on consecutive physical pages.

so how to follow the trail ??

There is no “trail”. There’s just a few bytes of memory here and there.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Scott_Noone_OSR · August 4, 2011, 7:58pm

“Joseph M. Newcomer” wrote in message news:xxxxx@windbg…

Largely, the answer to the question about pieceing together the file is Not
A Chance. You might find random text left in memory, but the relationship
of that random text to the disk has been obliterated.

I’ll preface this by saying I have no idea what raj is up to or what his
requirements are (though I suspect that they’re interesting/insane :)), but
wanted to make a general comment here.

Sometimes just finding pieces of data can be enough. A text file is really
just a simple example of a memory mapped file because most people read their
text files with Notepad (which happens to use memory mapping). Imagine
though if you wanted to see what executables were mapped in the imaged
system, seeing the bits of these that are in memory might tell you a whole
lot about the state of that system. Also, in this case you don’t really care
about the data on disk as what you really want to know is what was executing
in memory.

But in general, you can assume that memory is random garbage and if you
should be
so fortunate as to recognize ANYTHING in the memory dump, you treat that as
a low-probability event.

If you’re just scanning the raw contents of the dump for patterns then,
sure, who knows what that junk is. However, if you follow the O/S data
structures and happen upon the contents then you can have a high level of
confidence that what you are looking at is what was being executed on the
system.

Per usual, the answer to the question really relies upon what the intention
is.

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com