finding the process which windbg cannot attach to 0xc000010a error

1. how to find which process windbg tried to attach to in this error msg
2. why it couldnt attach and
3. how can i force attach to it if need be ??

i see some occasional msg by the AeDebugger (windbg ) like this

cannot debug pid XXXXX ntstatus 0xc000010a
lkd> !error 0xc000010a
Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
to duplicate an object handle into or out of an exiting process.

how to find what process caused this ?? if i click ok on the
messagebox windbg simply quits

i opened lkd on such instance and i list the process

lkd> .tlist -v wind*
0n2068 windbg.exe
Session: 0 User: MC\Admin Command Line:
“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
0n2064 windbg.exe
Session: 0 User: MC\Admin Command Line:
“F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
0n1528 windbg.exe
Session: 0 User: MC\Admin Command Line:
“F:\windbg\612windbg\windbg.exe” -kl -Q

i see windbg is trying to attach to pid 2652 in this case

i also see -e 444 and -684

windbg help file says e is used to call debugger programatically ?

{quote}
-e Event
Signals the debugger that the specified event has occurred. This
option is only used when starting the debugger programmatically.
{/quote}

dumping the process details of windbg does not give a coherant stack

lkd> !process 0n2068 f
Searching for Process with Cid == 814
Cid handle table at e3d24000 with 559 entries in use

PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid: 0a5c
DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
Image: windbg.exe
VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked 0.
DeviceMap e2de19b0
Token e1614b20
ElapsedTime 00:24:30.984
UserTime 00:00:00.031

a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
a9836d5c 8053d658 0xbf802f45
a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
TrapFrame @ a9836d4c)
00000001 00000000 0x3b

doing a .process and listing the modules dont show any module that
windbg is trying to attach

lkd> .process /p /r 865b1828
Implicit process is now 865b1828
Loading User Symbols
…WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp 49c4f482
…
lkd> lm
start end module name
01000000 01097000 windbg (deferred)
02000000 0239b000 dbgeng (deferred)
03000000 03141000 dbghelp (deferred)
4b400000 4b486000 MSFTEDIT (deferred)

the only thing that looks odd is the current directory in !peb

CurrentDirectory: 'C:\Documents and
Settings\LocalService\Application Data\ZTE_CDMA_1X'
WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
ImageFile: ‘F:\windbg\612windbg\windbg.exe’
CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’

that dir doesnt sem to contain any exe

lkd> .shell dir "C:\Documents and Settings\LocalService\Application
Data\ZTE_CDMA_1X"
<.shell waiting 1 second(s) for process>
Volume in drive C has no label.
Volume Serial Number is 9836-92E3

Directory of C:\Documents and Settings\LocalService\Application
Data\ZTE_CDMA_1X

05/11/2011 09:09

.
05/11/2011 09:09 ..
12/11/2011 23:37 287 Config.ini
05/11/2011 09:09 157 plot.log
2 File(s) 444 bytes
2 Dir(s) 5,963,878,400 bytes free
.shell: Process exited
Press ENTER to continue
<.shell waiting 1 second(s) for process>
<.shell process may need input>

how can i eke out the process name that windbg was trying to attach to ?

and how to find out what event was signaled ?? that shows up in windbg
command line ?

1) what exe exited ?
2)why windbg wanted to catch it ?
3) and why it couldnt catch it ?

befor closing down the instance i have made a dump using

ntsd -pv -p 2068 -c ".dump /ma windbgdump.dmp;"

0:000> !analyze ;du 01071f80; du 01076280
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0_0_0/00000000.htm?Retriage=1
Probably caused by : windbg.exe ( windbg!TextMsgBox+78 )

Followup: MachineOwner
---------

01071f80 "Could not attach to process 2652"
01071fc0 ", NTSTATUS 0xC000010A..An attemp"
01072000 "t was made to duplicate an objec"
01072040 "t handle into or out of an exiti"
01072080 "ng process."
01076280 "WinDbg:6.12.0002.633 X86 "

does anyone have any pointers ? can i find the erring process ??

the post from forum doesnt contain the original query as quotes

so i post from mail with context

does any one have any pointers to the problem below

can i find the erring process ??

On 11/13/11, raj_r wrote:
> 1) how to find which process windbg tried to attach to in this error msg
> 2) why it couldnt attach and
> 3) how can i force attach to it if need be ??
>
>
> i see some occasional msg by the AeDebugger (windbg ) like this
>
> cannot debug pid XXXXX ntstatus 0xc000010a
> lkd> !error 0xc000010a
> Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
> to duplicate an object handle into or out of an exiting process.
>
>
> how to find what process caused this ?? if i click ok on the
> messagebox windbg simply quits
>
> i opened lkd on such instance and i list the process
>
> lkd> .tlist -v wind*
> 0n2068 windbg.exe
> Session: 0 User: MC\Admin Command Line:
> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
> 0n2064 windbg.exe
> Session: 0 User: MC\Admin Command Line:
> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
> 0n1528 windbg.exe
> Session: 0 User: MC\Admin Command Line:
> “F:\windbg\612windbg\windbg.exe” -kl -Q
>
>
> i see windbg is trying to attach to pid 2652 in this case
>
> i also see -e 444 and -684
>
> windbg help file says e is used to call debugger programatically ?
>
> {quote}
> -e Event
> Signals the debugger that the specified event has occurred. This
> option is only used when starting the debugger programmatically.
> {/quote}
>
> dumping the process details of windbg does not give a coherant stack
>
> lkd> !process 0n2068 f
> Searching for Process with Cid == 814
> Cid handle table at e3d24000 with 559 entries in use
>
> PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid: 0a5c
> DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
> Image: windbg.exe
> VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked 0.
> DeviceMap e2de19b0
> Token e1614b20
> ElapsedTime 00:24:30.984
> UserTime 00:00:00.031
>
>
> a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
> a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> a9836d5c 8053d658 0xbf802f45
> a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
> TrapFrame @ a9836d4c)
> 00000001 00000000 0x3b
>
>
> doing a .process and listing the modules dont show any module that
> windbg is trying to attach
>
> lkd> .process /p /r 865b1828
> Implicit process is now 865b1828
> Loading User Symbols
> …WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp 49c4f482
> …
> lkd> lm
> start end module name
> 01000000 01097000 windbg (deferred)
> 02000000 0239b000 dbgeng (deferred)
> 03000000 03141000 dbghelp (deferred)
> 4b400000 4b486000 MSFTEDIT (deferred)
>
>
> the only thing that looks odd is the current directory in !peb
>
> CurrentDirectory: 'C:\Documents and
> Settings\LocalService\Application Data\ZTE_CDMA_1X'
> WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
> ImageFile: ‘F:\windbg\612windbg\windbg.exe’
> CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’
>
>
> that dir doesnt sem to contain any exe
>
> lkd> .shell dir "C:\Documents and Settings\LocalService\Application
> Data\ZTE_CDMA_1X"
> <.shell waiting 1 second(s) for process>
> Volume in drive C has no label.
> Volume Serial Number is 9836-92E3
>
> Directory of C:\Documents and Settings\LocalService\Application
> Data\ZTE_CDMA_1X
>
> 05/11/2011 09:09 .
> 05/11/2011 09:09 …
> 12/11/2011 23:37 287 Config.ini
> 05/11/2011 09:09 157 plot.log
> 2 File(s) 444 bytes
> 2 Dir(s) 5,963,878,400 bytes free
> .shell: Process exited
> Press ENTER to continue
> <.shell waiting 1 second(s) for process>
> <.shell process may need input>
>
>
> how can i eke out the process name that windbg was trying to attach to ?
>
> and how to find out what event was signaled ?? that shows up in windbg
> command line ?
>
> 1) what exe exited ?
> 2)why windbg wanted to catch it ?
> 3) and why it couldnt catch it ?
>
> befor closing down the instance i have made a dump using
>
> ntsd -pv -p 2068 -c “.dump /ma windbgdump.dmp;”
>
>
>
> 0:000> !analyze ;du 01071f80; du 01076280
> *****
>
>
> * Exception Analysis
>
>
>
>
>
> Use !analyze -v to get detailed debugging information.
>
> GetPageUrlData failed, server returned HTTP status 404
> URL requested:
> http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0_0_0/00000000.htm?Retriage=1
> Probably caused by : windbg.exe ( windbg!TextMsgBox+78 )
>
> Followup: MachineOwner
> ---------
>
> 01071f80 “Could not attach to process 2652”
> 01071fc0 “, NTSTATUS 0xC000010A…An attemp”
> 01072000 “t was made to duplicate an objec”
> 01072040 “t handle into or out of an exiti”
> 01072080 “ng process.”
> 01076280 "WinDbg:6.12.0002.633 X86 "
>

I’ve never had this problem, so I don’t have any kind of answer. However, a
couple of things:

1. Can’t you tell from the WinDBG command line the PID of the process that
   it’s trying to attach to?

2. You said:

dumping the process details of windbg does not give a coherant stack

lkd> !process 0n2068 f
Searching for Process with Cid == 814
Cid handle table at e3d24000 with 559 entries in use

If you want to see user mode state, you need to add flag 0x10 to the
!process command:

!process 0n2068 1f

3. You might want to look at the event log or see if you can find WER logs,
   they might be helpful in tracking down what started this.

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

You cannot force attach with the user mode debugger in this case, which may occur if the process gets terminated (could be due to any number of application-specific reasons) before the debugger completes the process attach.

Either attach the user mode debugger beforehand, or use the kernel debugger and configure it to break on first chance exceptions (!gflags +soe).

• S (Msft)

---

From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] on behalf of raj_r [xxxxx@gmail.com]
Sent: Saturday, November 12, 2011 11:28 AM
To: Kernel Debugging Interest List
Subject: [windbg] finding the process which windbg cannot attach to 0xc000010a error

1. how to find which process windbg tried to attach to in this error msg
2. why it couldnt attach and
3. how can i force attach to it if need be ??

i see some occasional msg by the AeDebugger (windbg ) like this

cannot debug pid XXXXX ntstatus 0xc000010a
lkd> !error 0xc000010a
Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
to duplicate an object handle into or out of an exiting process.

how to find what process caused this ?? if i click ok on the
messagebox windbg simply quits

i opened lkd on such instance and i list the process

lkd> .tlist -v wind*
0n2068 windbg.exe
Session: 0 User: MC\Admin Command Line:
“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
0n2064 windbg.exe
Session: 0 User: MC\Admin Command Line:
“F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
0n1528 windbg.exe
Session: 0 User: MC\Admin Command Line:
“F:\windbg\612windbg\windbg.exe” -kl -Q

i see windbg is trying to attach to pid 2652 in this case

i also see -e 444 and -684

windbg help file says e is used to call debugger programatically ?

{quote}
-e Event
Signals the debugger that the specified event has occurred. This
option is only used when starting the debugger programmatically.
{/quote}

dumping the process details of windbg does not give a coherant stack

lkd> !process 0n2068 f
Searching for Process with Cid == 814
Cid handle table at e3d24000 with 559 entries in use

PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid: 0a5c
DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
Image: windbg.exe
VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked 0.
DeviceMap e2de19b0
Token e1614b20
ElapsedTime 00:24:30.984
UserTime 00:00:00.031

a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
a9836d5c 8053d658 0xbf802f45
a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
TrapFrame @ a9836d4c)
00000001 00000000 0x3b

doing a .process and listing the modules dont show any module that
windbg is trying to attach

lkd> .process /p /r 865b1828
Implicit process is now 865b1828
Loading User Symbols
…WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp 49c4f482
…
lkd> lm
start end module name
01000000 01097000 windbg (deferred)
02000000 0239b000 dbgeng (deferred)
03000000 03141000 dbghelp (deferred)
4b400000 4b486000 MSFTEDIT (deferred)

the only thing that looks odd is the current directory in !peb

CurrentDirectory: 'C:\Documents and
Settings\LocalService\Application Data\ZTE_CDMA_1X'
WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
ImageFile: ‘F:\windbg\612windbg\windbg.exe’
CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’

that dir doesnt sem to contain any exe

lkd> .shell dir "C:\Documents and Settings\LocalService\Application
Data\ZTE_CDMA_1X"
<.shell waiting 1 second(s) for process>
Volume in drive C has no label.
Volume Serial Number is 9836-92E3

Directory of C:\Documents and Settings\LocalService\Application
Data\ZTE_CDMA_1X

05/11/2011 09:09

.
05/11/2011 09:09 ..
12/11/2011 23:37 287 Config.ini
05/11/2011 09:09 157 plot.log
2 File(s) 444 bytes
2 Dir(s) 5,963,878,400 bytes free
.shell: Process exited
Press ENTER to continue
<.shell waiting 1 second(s) for process>
<.shell process may need input>

how can i eke out the process name that windbg was trying to attach to ?

and how to find out what event was signaled ?? that shows up in windbg
command line ?

1) what exe exited ?
2)why windbg wanted to catch it ?
3) and why it couldnt catch it ?

befor closing down the instance i have made a dump using

ntsd -pv -p 2068 -c ".dump /ma windbgdump.dmp;"

0:000> !analyze ;du 01071f80; du 01076280
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0_0_0/00000000.htm?Retriage=1
Probably caused by : windbg.exe ( windbg!TextMsgBox+78 )

Followup: MachineOwner
---------

01071f80 "Could not attach to process 2652"
01071fc0 ", NTSTATUS 0xC000010A..An attemp"
01072000 "t was made to duplicate an objec"
01072040 "t handle into or out of an exiti"
01072080 "ng process."
01076280 "WinDbg:6.12.0002.633 X86 "

---
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

On 11/15/11, Scott Noone wrote:
> I’ve never had this problem, so I don’t have any kind of answer. However, a
> couple of things:

and neither does google otherwise i would have pieced it even if i
found some scent in some obscure parseltongue
http://parseltonguetranslator.warnerbros.com/parseltongue.php

>
> 1) Can’t you tell from the WinDBG command line the PID of the process that
> it’s trying to attach to?

no like i pasted in my earlier output windbg is trying to attach to it
with -p PID -e EVENT

CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’

>
> 2) You said:
>
>> dumping the process details of windbg does not give a coherant stack
>>
>> lkd> !process 0n2068 f
>> Searching for Process with Cid == 814
>> Cid handle table at e3d24000 with 559 entries in use
>
> If you want to see user mode state, you need to add flag 0x10 to the
> !process command:
>
> !process 0n2068 1f
>

thanks
will remember that next time i get windbg pops up again due to this error

any ideas if i can parse the .dmp for anything relevent ??

> 3) You might want to look at the event log or see if you can find WER logs,
> they might be helpful in tracking down what started this.

didnt find anything in event logs

cant find anything genric now about wer logs and where they might be hiding

msdn said wer logs might be at %temp%\dw.log but i dont have that file
http://msdn.microsoft.com/en-us/library/bb219076(v=office.12).aspx
any other location you are aware of any extension name wildcards to
search for using dir listing ??

but i guess i wont find any wer logs in this specific case as
AeDebugger Kicked in
i believe Wer Logs are produced only if there is no Debugger that can
attach and the app crashes
i think in this specific scenerio windbg tried to attach but WINDBG
failed and on closing windbg it will terminate handling the error

Thanks And Regards
raj

On 11/15/11, Skywing wrote:
> You cannot force attach with the user mode debugger in this case, which may
> occur if the process gets terminated (could be due to any number of
> application-specific reasons) before the debugger completes the process
> attach.

i dont know which process to attach to beforehand
>

> Either attach the user mode debugger beforehand, or use the kernel debugger
> and configure it to break on first chance exceptions (!gflags +soe).

its a laptop that doent have comport and always having kernel debugger
attached somehow isnt a possible scenerio

Thanks For Replying back and your blog is the only place that somehow
has a referance to the error code

How I ended up in the kernel debugger while trying to get PHP and …
www.nynaeve.net/?p=118
14 Apr 2007 ? The data field contains the error number. To learn more
about this … Debuggee initialization failed, NTSTATUS 0xC000010A
?An attempt was …

thanks and regards

raj

>
> - S (Msft)
> ________________________________________
> From: xxxxx@lists.osr.com [xxxxx@lists.osr.com]
> on behalf of raj_r [xxxxx@gmail.com]
> Sent: Saturday, November 12, 2011 11:28 AM
> To: Kernel Debugging Interest List
> Subject: [windbg] finding the process which windbg cannot attach to
> 0xc000010a error
>
> 1) how to find which process windbg tried to attach to in this error msg
> 2) why it couldnt attach and
> 3) how can i force attach to it if need be ??
>
>
> i see some occasional msg by the AeDebugger (windbg ) like this
>
> cannot debug pid XXXXX ntstatus 0xc000010a
> lkd> !error 0xc000010a
> Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
> to duplicate an object handle into or out of an exiting process.
>
>
> how to find what process caused this ?? if i click ok on the
> messagebox windbg simply quits
>
> i opened lkd on such instance and i list the process
>
> lkd> .tlist -v wind*
> 0n2068 windbg.exe
> Session: 0 User: MC\Admin Command Line:
> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
> 0n2064 windbg.exe
> Session: 0 User: MC\Admin Command Line:
> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
> 0n1528 windbg.exe
> Session: 0 User: MC\Admin Command Line:
> “F:\windbg\612windbg\windbg.exe” -kl -Q
>
>
> i see windbg is trying to attach to pid 2652 in this case
>
> i also see -e 444 and -684
>
> windbg help file says e is used to call debugger programatically ?
>
> {quote}
> -e Event
> Signals the debugger that the specified event has occurred. This
> option is only used when starting the debugger programmatically.
> {/quote}
>
> dumping the process details of windbg does not give a coherant stack
>
> lkd> !process 0n2068 f
> Searching for Process with Cid == 814
> Cid handle table at e3d24000 with 559 entries in use
>
> PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid: 0a5c
> DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
> Image: windbg.exe
> VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked 0.
> DeviceMap e2de19b0
> Token e1614b20
> ElapsedTime 00:24:30.984
> UserTime 00:00:00.031
>
>
> a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
> a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> a9836d5c 8053d658 0xbf802f45
> a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
> TrapFrame @ a9836d4c)
> 00000001 00000000 0x3b
>
>
> doing a .process and listing the modules dont show any module that
> windbg is trying to attach
>
> lkd> .process /p /r 865b1828
> Implicit process is now 865b1828
> Loading User Symbols
> …WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp 49c4f482
> …
> lkd> lm
> start end module name
> 01000000 01097000 windbg (deferred)
> 02000000 0239b000 dbgeng (deferred)
> 03000000 03141000 dbghelp (deferred)
> 4b400000 4b486000 MSFTEDIT (deferred)
>
>
> the only thing that looks odd is the current directory in !peb
>
> CurrentDirectory: 'C:\Documents and
> Settings\LocalService\Application Data\ZTE_CDMA_1X'
> WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
> ImageFile: ‘F:\windbg\612windbg\windbg.exe’
> CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’
>
>
> that dir doesnt sem to contain any exe
>
> lkd> .shell dir "C:\Documents and Settings\LocalService\Application
> Data\ZTE_CDMA_1X"
> <.shell waiting 1 second(s) for process>
> Volume in drive C has no label.
> Volume Serial Number is 9836-92E3
>
> Directory of C:\Documents and Settings\LocalService\Application
> Data\ZTE_CDMA_1X
>
> 05/11/2011 09:09 .
> 05/11/2011 09:09 …
> 12/11/2011 23:37 287 Config.ini
> 05/11/2011 09:09 157 plot.log
> 2 File(s) 444 bytes
> 2 Dir(s) 5,963,878,400 bytes free
> .shell: Process exited
> Press ENTER to continue
> <.shell waiting 1 second(s) for process>
> <.shell process may need input>
>
>
> how can i eke out the process name that windbg was trying to attach to ?
>
> and how to find out what event was signaled ?? that shows up in windbg
> command line ?
>
> 1) what exe exited ?
> 2)why windbg wanted to catch it ?
> 3) and why it couldnt catch it ?
>
> befor closing down the instance i have made a dump using
>
> ntsd -pv -p 2068 -c “.dump /ma windbgdump.dmp;”
>
>
>
> 0:000> !analyze ;du 01071f80; du 01076280
> *****
>
>
> * Exception Analysis
>
>
>
>
>
> Use !analyze -v to get detailed debugging information.
>
> GetPageUrlData failed, server returned HTTP status 404
> URL requested:
> http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0_0_0/00000000.htm?Retriage=1
> Probably caused by : windbg.exe ( windbg!TextMsgBox+78 )
>
> Followup: MachineOwner
> ---------
>
> 01071f80 “Could not attach to process 2652”
> 01071fc0 “, NTSTATUS 0xC000010A…An attemp”
> 01072000 “t was made to duplicate an objec”
> 01072040 “t handle into or out of an exiti”
> 01072080 “ng process.”
> 01076280 "WinDbg:6.12.0002.633 X86 "
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

You will need to find a way to make one of those options to work. Perhaps you can debug whomever creates the failing process using child debug follow mode and arrange to be in control that way when the initial failure occurs.

Note that you can look up error codes in the WDK/SDK headers, with !error in the debugger, or Err.exe (“Exchange Server Error Code Lookup Utility”).

• S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Monday, November 14, 2011 7:44 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] finding the process which windbg cannot attach to 0xc000010a error

On 11/15/11, Skywing wrote:
> You cannot force attach with the user mode debugger in this case,
> which may occur if the process gets terminated (could be due to any
> number of application-specific reasons) before the debugger completes
> the process attach.

i dont know which process to attach to beforehand
>

> Either attach the user mode debugger beforehand, or use the kernel
> debugger and configure it to break on first chance exceptions (!gflags +soe).

its a laptop that doent have comport and always having kernel debugger attached somehow isnt a possible scenerio

Thanks For Replying back and your blog is the only place that somehow has a referance to the error code

How I ended up in the kernel debugger while trying to get PHP and …
www.nynaeve.net/?p=118
14 Apr 2007 ? The data field contains the error number. To learn more about this … Debuggee initialization failed, NTSTATUS 0xC000010A ?An attempt was …

thanks and regards

raj

>
> - S (Msft)
> ________________________________________
> From: xxxxx@lists.osr.com
> [xxxxx@lists.osr.com]
> on behalf of raj_r [xxxxx@gmail.com]
> Sent: Saturday, November 12, 2011 11:28 AM
> To: Kernel Debugging Interest List
> Subject: [windbg] finding the process which windbg cannot attach to
> 0xc000010a error
>
> 1) how to find which process windbg tried to attach to in this error
> msg
> 2) why it couldnt attach and
> 3) how can i force attach to it if need be ??
>
>
> i see some occasional msg by the AeDebugger (windbg ) like this
>
> cannot debug pid XXXXX ntstatus 0xc000010a
> lkd> !error 0xc000010a
> Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
> to duplicate an object handle into or out of an exiting process.
>
>
> how to find what process caused this ?? if i click ok on the
> messagebox windbg simply quits
>
> i opened lkd on such instance and i list the process
>
> lkd> .tlist -v wind*
> 0n2068 windbg.exe
> Session: 0 User: MC\Admin Command Line:
> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
> 0n2064 windbg.exe
> Session: 0 User: MC\Admin Command Line:
> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
> 0n1528 windbg.exe
> Session: 0 User: MC\Admin Command Line:
> “F:\windbg\612windbg\windbg.exe” -kl -Q
>
>
> i see windbg is trying to attach to pid 2652 in this case
>
> i also see -e 444 and -684
>
> windbg help file says e is used to call debugger programatically ?
>
> {quote}
> -e Event
> Signals the debugger that the specified event has occurred. This
> option is only used when starting the debugger programmatically.
> {/quote}
>
> dumping the process details of windbg does not give a coherant stack
>
> lkd> !process 0n2068 f
> Searching for Process with Cid == 814
> Cid handle table at e3d24000 with 559 entries in use
>
> PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid: 0a5c
> DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
> Image: windbg.exe
> VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked 0.
> DeviceMap e2de19b0
> Token e1614b20
> ElapsedTime 00:24:30.984
> UserTime 00:00:00.031
>
>
> a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
> a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
> a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO:
> [Non-Fpo])
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> a9836d5c 8053d658 0xbf802f45
> a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
> TrapFrame @ a9836d4c)
> 00000001 00000000 0x3b
>
>
> doing a .process and listing the modules dont show any module that
> windbg is trying to attach
>
> lkd> .process /p /r 865b1828
> Implicit process is now 865b1828
> Loading User Symbols
> …WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp
> 49c4f482 …
> lkd> lm
> start end module name
> 01000000 01097000 windbg (deferred)
> 02000000 0239b000 dbgeng (deferred)
> 03000000 03141000 dbghelp (deferred)
> 4b400000 4b486000 MSFTEDIT (deferred)
>
>
> the only thing that looks odd is the current directory in !peb
>
> CurrentDirectory: 'C:\Documents and
> Settings\LocalService\Application Data\ZTE_CDMA_1X'
> WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
> ImageFile: ‘F:\windbg\612windbg\windbg.exe’
> CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’
>
>
> that dir doesnt sem to contain any exe
>
> lkd> .shell dir "C:\Documents and Settings\LocalService\Application
> Data\ZTE_CDMA_1X"
> <.shell waiting 1 second(s) for process> Volume in drive C has no
> label.
> Volume Serial Number is 9836-92E3
>
> Directory of C:\Documents and Settings\LocalService\Application
> Data\ZTE_CDMA_1X
>
> 05/11/2011 09:09 .
> 05/11/2011 09:09 …
> 12/11/2011 23:37 287 Config.ini
> 05/11/2011 09:09 157 plot.log
> 2 File(s) 444 bytes
> 2 Dir(s) 5,963,878,400 bytes free
> .shell: Process exited
> Press ENTER to continue
> <.shell waiting 1 second(s) for process> <.shell process may need
> input>
>
>
> how can i eke out the process name that windbg was trying to attach to ?
>
> and how to find out what event was signaled ?? that shows up in windbg
> command line ?
>
> 1) what exe exited ?
> 2)why windbg wanted to catch it ?
> 3) and why it couldnt catch it ?
>
> befor closing down the instance i have made a dump using
>
> ntsd -pv -p 2068 -c “.dump /ma windbgdump.dmp;”
>
>
>
> 0:000> !analyze ;du 01071f80; du 01076280
> *************************************************************
>
> *
> *
> * Exception Analysis
> *
> *
> *
> *************************************************************
>
>
> Use !analyze -v to get detailed debugging information.
>
> GetPageUrlData failed, server returned HTTP status 404 URL requested:
> http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0
> _0_0/00000000.htm?Retriage=1 Probably caused by : windbg.exe (
> windbg!TextMsgBox+78 )
>
> Followup: MachineOwner
> ---------
>
> 01071f80 “Could not attach to process 2652”
> 01071fc0 “, NTSTATUS 0xC000010A…An attemp”
> 01072000 “t was made to duplicate an objec”
> 01072040 “t handle into or out of an exiti”
> 01072080 “ng process.”
> 01076280 "WinDbg:6.12.0002.633 X86 "
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks ken i ll see if i can somehow log all processes with their
names and pids that are created over a period of time and compare the
pid wtih windbg commandline
one with the recent pid 0xXXXX before windbg fails to attach should
be the process

is an utility like that available ready made

pid_with_procname_logforevr.exe

On 11/15/11, Skywing wrote:
> You will need to find a way to make one of those options to work. Perhaps
> you can debug whomever creates the failing process using child debug follow
> mode and arrange to be in control that way when the initial failure occurs.
>
> Note that you can look up error codes in the WDK/SDK headers, with !error in
> the debugger, or Err.exe (“Exchange Server Error Code Lookup Utility”).
>
> - S (Msft)
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Monday, November 14, 2011 7:44 PM
> To: Kernel Debugging Interest List
> Subject: Re: [windbg] finding the process which windbg cannot attach to
> 0xc000010a error
>
> On 11/15/11, Skywing wrote:
>> You cannot force attach with the user mode debugger in this case,
>> which may occur if the process gets terminated (could be due to any
>> number of application-specific reasons) before the debugger completes
>> the process attach.
>
> i dont know which process to attach to beforehand
>>
>
>> Either attach the user mode debugger beforehand, or use the kernel
>> debugger and configure it to break on first chance exceptions (!gflags
>> +soe).
>
>
> its a laptop that doent have comport and always having kernel debugger
> attached somehow isnt a possible scenerio
>
> Thanks For Replying back and your blog is the only place that somehow has a
> referance to the error code
>
> How I ended up in the kernel debugger while trying to get PHP and …
> www.nynaeve.net/?p=118
> 14 Apr 2007 ? The data field contains the error number. To learn more about
> this … Debuggee initialization failed, NTSTATUS 0xC000010A ?An attempt
> was …
>
> thanks and regards
>
> raj
>
>>
>> - S (Msft)
>> ________________________________________
>> From: xxxxx@lists.osr.com
>> [xxxxx@lists.osr.com]
>> on behalf of raj_r [xxxxx@gmail.com]
>> Sent: Saturday, November 12, 2011 11:28 AM
>> To: Kernel Debugging Interest List
>> Subject: [windbg] finding the process which windbg cannot attach to
>> 0xc000010a error
>>
>> 1) how to find which process windbg tried to attach to in this error
>> msg
>> 2) why it couldnt attach and
>> 3) how can i force attach to it if need be ??
>>
>>
>> i see some occasional msg by the AeDebugger (windbg ) like this
>>
>> cannot debug pid XXXXX ntstatus 0xc000010a
>> lkd> !error 0xc000010a
>> Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
>> to duplicate an object handle into or out of an exiting process.
>>
>>
>> how to find what process caused this ?? if i click ok on the
>> messagebox windbg simply quits
>>
>> i opened lkd on such instance and i list the process
>>
>> lkd> .tlist -v wind*
>> 0n2068 windbg.exe
>> Session: 0 User: MC\Admin Command Line:
>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
>> 0n2064 windbg.exe
>> Session: 0 User: MC\Admin Command Line:
>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
>> 0n1528 windbg.exe
>> Session: 0 User: MC\Admin Command Line:
>> “F:\windbg\612windbg\windbg.exe” -kl -Q
>>
>>
>> i see windbg is trying to attach to pid 2652 in this case
>>
>> i also see -e 444 and -684
>>
>> windbg help file says e is used to call debugger programatically ?
>>
>> {quote}
>> -e Event
>> Signals the debugger that the specified event has occurred. This
>> option is only used when starting the debugger programmatically.
>> {/quote}
>>
>> dumping the process details of windbg does not give a coherant stack
>>
>> lkd> !process 0n2068 f
>> Searching for Process with Cid == 814
>> Cid handle table at e3d24000 with 559 entries in use
>>
>> PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid:
>> 0a5c
>> DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
>> Image: windbg.exe
>> VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked 0.
>> DeviceMap e2de19b0
>> Token e1614b20
>> ElapsedTime 00:24:30.984
>> UserTime 00:00:00.031
>>
>>
>> a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
>> a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
>> a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO:
>> [Non-Fpo])
>> WARNING: Frame IP not in any known module. Following frames may be wrong.
>> a9836d5c 8053d658 0xbf802f45
>> a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
>> TrapFrame @ a9836d4c)
>> 00000001 00000000 0x3b
>>
>>
>> doing a .process and listing the modules dont show any module that
>> windbg is trying to attach
>>
>> lkd> .process /p /r 865b1828
>> Implicit process is now 865b1828
>> Loading User Symbols
>> …WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp
>> 49c4f482 …
>> lkd> lm
>> start end module name
>> 01000000 01097000 windbg (deferred)
>> 02000000 0239b000 dbgeng (deferred)
>> 03000000 03141000 dbghelp (deferred)
>> 4b400000 4b486000 MSFTEDIT (deferred)
>>
>>
>> the only thing that looks odd is the current directory in !peb
>>
>> CurrentDirectory: 'C:\Documents and
>> Settings\LocalService\Application Data\ZTE_CDMA_1X'
>> WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
>> ImageFile: ‘F:\windbg\612windbg\windbg.exe’
>> CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’
>>
>>
>> that dir doesnt sem to contain any exe
>>
>> lkd> .shell dir "C:\Documents and Settings\LocalService\Application
>> Data\ZTE_CDMA_1X"
>> <.shell waiting 1 second(s) for process> Volume in drive C has no
>> label.
>> Volume Serial Number is 9836-92E3
>>
>> Directory of C:\Documents and Settings\LocalService\Application
>> Data\ZTE_CDMA_1X
>>
>> 05/11/2011 09:09 .
>> 05/11/2011 09:09 …
>> 12/11/2011 23:37 287 Config.ini
>> 05/11/2011 09:09 157 plot.log
>> 2 File(s) 444 bytes
>> 2 Dir(s) 5,963,878,400 bytes free
>> .shell: Process exited
>> Press ENTER to continue
>> <.shell waiting 1 second(s) for process> <.shell process may need
>> input>
>>
>>
>> how can i eke out the process name that windbg was trying to attach to ?
>>
>> and how to find out what event was signaled ?? that shows up in windbg
>> command line ?
>>
>> 1) what exe exited ?
>> 2)why windbg wanted to catch it ?
>> 3) and why it couldnt catch it ?
>>
>> befor closing down the instance i have made a dump using
>>
>> ntsd -pv -p 2068 -c “.dump /ma windbgdump.dmp;”
>>
>>
>>
>> 0:000> !analyze ;du 01071f80; du 01076280
>> *************************************************************
>>
>> *
>> *
>> * Exception Analysis
>> *
>> *
>> *
>> *************************************************************
>>
>>
>> Use !analyze -v to get detailed debugging information.
>>
>> GetPageUrlData failed, server returned HTTP status 404 URL requested:
>> http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0
>> _0_0/00000000.htm?Retriage=1 Probably caused by : windbg.exe (
>> windbg!TextMsgBox+78 )
>>
>> Followup: MachineOwner
>> ---------
>>
>> 01071f80 “Could not attach to process 2652”
>> 01071fc0 “, NTSTATUS 0xC000010A…An attemp”
>> 01072000 “t was made to duplicate an objec”
>> 01072040 “t handle into or out of an exiti”
>> 01072080 “ng process.”
>> 01076280 "WinDbg:6.12.0002.633 X86 "
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

well i thought ill do some dbgprint app and log the dbg prints using
debugmon so i can parse pids if the crash happened again

but it seems PsSetCreateNotifyRoutine Retuns only PID no Name
And PsSetLoadImageNotifyRoutine Returns too much #$%^ though it has a pid

so googled to see if i can find a way to get proc name form pid
and it seems it is full of undocumented hacks

osronline has a ZwQueryInformation Process article
some forums have some deprecated PsGetProcessNameFromFileName
Some sites have hacks to read from peb etc

is there no documented and supported way to get Process Name From the
first callback
or limit the spew to only process name and not all the dlls , etc from
second call back ??

here is a windbg spew of the process

kd> g
KD: Accessing ‘C:\WinDDK\7600.16385.1\src\HelloWorld\ProcCreateMon\objfre_wxp_x86\i386\proccreatemon.sys’
(??\C:\WINDOWS\system32\drivers\proccreatemon.sys)
File size 3K.
MmLoadSystemImage: Pulled
??\C:\WINDOWS\system32\drivers\proccreatemon.sys from kd
ProcCreateMon Callback is being registered from proccreatemon.sys
ProcCreateMon Callback registration Succeded from proccreatemon.sys
LoadImageMon Callback is being registered from proccreatemon.sys
LoadImageMon Callback registration Succeded from proccreatemon.sys

Process Id 170 whose Parent Id is 478 was created

Process Name is \Device\HarddiskVolume1\WINDOWS\system32\calc.exe for
Process Id 170
Process Name is \SystemRoot\System32\ntdll.dll for Process Id 170

cut off other dlls

Process Name is \WINDOWS\system32\uxtheme.dll for Process Id 170

Process Id 170 whose Parent Id is 478 was Destroyed

On 11/16/11, raj_r wrote:
> Thanks ken i ll see if i can somehow log all processes with their
> names and pids that are created over a period of time and compare the
> pid wtih windbg commandline
> one with the recent pid 0xXXXX before windbg fails to attach should
> be the process
>
> is an utility like that available ready made
>
> pid_with_procname_logforevr.exe
>
> On 11/15/11, Skywing wrote:
>> You will need to find a way to make one of those options to work.
>> Perhaps
>> you can debug whomever creates the failing process using child debug
>> follow
>> mode and arrange to be in control that way when the initial failure
>> occurs.
>>
>> Note that you can look up error codes in the WDK/SDK headers, with !error
>> in
>> the debugger, or Err.exe (“Exchange Server Error Code Lookup Utility”).
>>
>> - S (Msft)
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>> Sent: Monday, November 14, 2011 7:44 PM
>> To: Kernel Debugging Interest List
>> Subject: Re: [windbg] finding the process which windbg cannot attach to
>> 0xc000010a error
>>
>> On 11/15/11, Skywing wrote:
>>> You cannot force attach with the user mode debugger in this case,
>>> which may occur if the process gets terminated (could be due to any
>>> number of application-specific reasons) before the debugger completes
>>> the process attach.
>>
>> i dont know which process to attach to beforehand
>>>
>>
>>> Either attach the user mode debugger beforehand, or use the kernel
>>> debugger and configure it to break on first chance exceptions (!gflags
>>> +soe).
>>
>>
>> its a laptop that doent have comport and always having kernel debugger
>> attached somehow isnt a possible scenerio
>>
>> Thanks For Replying back and your blog is the only place that somehow has
>> a
>> referance to the error code
>>
>> How I ended up in the kernel debugger while trying to get PHP and …
>> www.nynaeve.net/?p=118
>> 14 Apr 2007 ? The data field contains the error number. To learn more
>> about
>> this … Debuggee initialization failed, NTSTATUS 0xC000010A ?An attempt
>> was …
>>
>> thanks and regards
>>
>> raj
>>
>>>
>>> - S (Msft)
>>> ________________________________________
>>> From: xxxxx@lists.osr.com
>>> [xxxxx@lists.osr.com]
>>> on behalf of raj_r [xxxxx@gmail.com]
>>> Sent: Saturday, November 12, 2011 11:28 AM
>>> To: Kernel Debugging Interest List
>>> Subject: [windbg] finding the process which windbg cannot attach to
>>> 0xc000010a error
>>>
>>> 1) how to find which process windbg tried to attach to in this error
>>> msg
>>> 2) why it couldnt attach and
>>> 3) how can i force attach to it if need be ??
>>>
>>>
>>> i see some occasional msg by the AeDebugger (windbg ) like this
>>>
>>> cannot debug pid XXXXX ntstatus 0xc000010a
>>> lkd> !error 0xc000010a
>>> Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
>>> to duplicate an object handle into or out of an exiting process.
>>>
>>>
>>> how to find what process caused this ?? if i click ok on the
>>> messagebox windbg simply quits
>>>
>>> i opened lkd on such instance and i list the process
>>>
>>> lkd> .tlist -v wind*
>>> 0n2068 windbg.exe
>>> Session: 0 User: MC\Admin Command Line:
>>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
>>> 0n2064 windbg.exe
>>> Session: 0 User: MC\Admin Command Line:
>>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
>>> 0n1528 windbg.exe
>>> Session: 0 User: MC\Admin Command Line:
>>> “F:\windbg\612windbg\windbg.exe” -kl -Q
>>>
>>>
>>> i see windbg is trying to attach to pid 2652 in this case
>>>
>>> i also see -e 444 and -684
>>>
>>> windbg help file says e is used to call debugger programatically ?
>>>
>>> {quote}
>>> -e Event
>>> Signals the debugger that the specified event has occurred. This
>>> option is only used when starting the debugger programmatically.
>>> {/quote}
>>>
>>> dumping the process details of windbg does not give a coherant stack
>>>
>>> lkd> !process 0n2068 f
>>> Searching for Process with Cid == 814
>>> Cid handle table at e3d24000 with 559 entries in use
>>>
>>> PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid:
>>> 0a5c
>>> DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
>>> Image: windbg.exe
>>> VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked 0.
>>> DeviceMap e2de19b0
>>> Token e1614b20
>>> ElapsedTime 00:24:30.984
>>> UserTime 00:00:00.031
>>>
>>>
>>> a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP]
>>> [0,0,4])
>>> a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
>>> a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO:
>>> [Non-Fpo])
>>> WARNING: Frame IP not in any known module. Following frames may be
>>> wrong.
>>> a9836d5c 8053d658 0xbf802f45
>>> a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
>>> TrapFrame @ a9836d4c)
>>> 00000001 00000000 0x3b
>>>
>>>
>>> doing a .process and listing the modules dont show any module that
>>> windbg is trying to attach
>>>
>>> lkd> .process /p /r 865b1828
>>> Implicit process is now 865b1828
>>> Loading User Symbols
>>> …WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp
>>> 49c4f482 …
>>> lkd> lm
>>> start end module name
>>> 01000000 01097000 windbg (deferred)
>>> 02000000 0239b000 dbgeng (deferred)
>>> 03000000 03141000 dbghelp (deferred)
>>> 4b400000 4b486000 MSFTEDIT (deferred)
>>>
>>>
>>> the only thing that looks odd is the current directory in !peb
>>>
>>> CurrentDirectory: 'C:\Documents and
>>> Settings\LocalService\Application Data\ZTE_CDMA_1X'
>>> WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
>>> ImageFile: ‘F:\windbg\612windbg\windbg.exe’
>>> CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’
>>>
>>>
>>> that dir doesnt sem to contain any exe
>>>
>>> lkd> .shell dir "C:\Documents and Settings\LocalService\Application
>>> Data\ZTE_CDMA_1X"
>>> <.shell waiting 1 second(s) for process> Volume in drive C has no
>>> label.
>>> Volume Serial Number is 9836-92E3
>>>
>>> Directory of C:\Documents and Settings\LocalService\Application
>>> Data\ZTE_CDMA_1X
>>>
>>> 05/11/2011 09:09 .
>>> 05/11/2011 09:09 …
>>> 12/11/2011 23:37 287 Config.ini
>>> 05/11/2011 09:09 157 plot.log
>>> 2 File(s) 444 bytes
>>> 2 Dir(s) 5,963,878,400 bytes free
>>> .shell: Process exited
>>> Press ENTER to continue
>>> <.shell waiting 1 second(s) for process> <.shell process may need
>>> input>
>>>
>>>
>>> how can i eke out the process name that windbg was trying to attach to ?
>>>
>>> and how to find out what event was signaled ?? that shows up in windbg
>>> command line ?
>>>
>>> 1) what exe exited ?
>>> 2)why windbg wanted to catch it ?
>>> 3) and why it couldnt catch it ?
>>>
>>> befor closing down the instance i have made a dump using
>>>
>>> ntsd -pv -p 2068 -c “.dump /ma windbgdump.dmp;”
>>>
>>>
>>>
>>> 0:000> !analyze ;du 01071f80; du 01076280
>>> *************************************************************
>>>
>>> *
>>> *
>>> * Exception Analysis
>>> *
>>> *
>>> *
>>> *************************************************************
>>>
>>>
>>> Use !analyze -v to get detailed debugging information.
>>>
>>> GetPageUrlData failed, server returned HTTP status 404 URL requested:
>>> http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0
>>> _0_0/00000000.htm?Retriage=1 Probably caused by : windbg.exe (
>>> windbg!TextMsgBox+78 )
>>>
>>> Followup: MachineOwner
>>> ---------
>>>
>>> 01071f80 “Could not attach to process 2652”
>>> 01071fc0 “, NTSTATUS 0xC000010A…An attemp”
>>> 01072000 “t was made to duplicate an objec”
>>> 01072040 “t handle into or out of an exiti”
>>> 01072080 “ng process.”
>>> 01076280 "WinDbg:6.12.0002.633 X86 "
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

the pid to process name is riddled with hacks

Peb->ImageFileName
Peb ->SeAuditProcessCreationInfo ->ImageFileAnme->Name
ZwQueryProcessInformation
SectionObject and ObQuery Name
PsGet**FileName (isnt even available in latest header it seems)

i am choosing the first hack
(apart from the vagueness of rogue app masquerading as legit problem
and offsets may vary updates can kill etc not portable across os
version etc etc)

will this field contain the 16 byte name always ? or it can be null
too sometimes ?

my code as follows

#include <ntifs.h>

DRIVER_INITIALIZE DriverEntry;

DRIVER_UNLOAD DriverUnload;

VOID ProcCreateMon(
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
);

void
DriverUnload(
PDRIVER_OBJECT DriverObject
)
{
PsSetCreateProcessNotifyRoutine(ProcCreateMon, TRUE);
}

NTSTATUS
DriverEntry(
in PDRIVER_OBJECT DriverObject,
in PUNICODE_STRING RegistryPath
)
{
DriverObject->DriverUnload = DriverUnload;
PsSetCreateProcessNotifyRoutine(ProcCreateMon, FALSE);
return STATUS_SUCCESS;
}

VOID
ProcCreateMon(
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
)
{
PEPROCESS eproc =NULL;
PCHAR foo;

if(Create){
PsLookupProcessByProcessId(ProcessId,&eproc);
foo = (PCHAR)eproc+0x174;
DbgPrint(“PID %X Process Name %s\n”,ProcessId,foo);
ObDereferenceObject(eproc);
}
}

output as follows

kd> g
KD: Accessing ‘C:\WinDDK\7600.16385.1\src\HelloWorld\ProcCreateMon\objfre_wlh_x86\i386\proccreatemon.sys’
(??\C:\WINDOWS\system32\drivers\proccreatemon.sys)
File size 4K.
MmLoadSystemImage: Pulled
??\C:\WINDOWS\system32\drivers\proccreatemon.sys from kd
PID 590 Process Name cmd.exe
PID 664 Process Name calc.exe
PID 720 Process Name notepad.exe
PID 734 Process Name procexp.exe
PID 788 Process Name mspaint.exe
PID A4 Process Name svchost.exe
PID E4 Process Name netstat.exe
PID F0 Process Name ping.exe
PID 6DC Process Name tracert.exe
PID 6CC Process Name explorer.exe
watchdog!WdUpdateRecoveryState: Recovery enabled.
PID 6C4 Process Name help.exe
PID 140 Process Name wmic.exe
PID 168 Process Name wmiprvse.exe
PID 704 Process Name wmic.exe
PID 2A0 Process Name Dbgview.exe
PID 294 Process Name cmd.exe
PID 304 Process Name HxD.exe
PID 3E8 Process Name msgbox.exe

these prints are visible in targets dbgview output too

is this usable or is a surefire way to bsod

On 11/17/11, raj_r wrote:
> well i thought ill do some dbgprint app and log the dbg prints using
> debugmon so i can parse pids if the crash happened again
>
>
> but it seems PsSetCreateNotifyRoutine Retuns only PID no Name
> And PsSetLoadImageNotifyRoutine Returns too much #$%^ though it has a pid
>
> so googled to see if i can find a way to get proc name form pid
> and it seems it is full of undocumented hacks
>
> osronline has a ZwQueryInformation Process article
> some forums have some deprecated PsGetProcessNameFromFileName
> Some sites have hacks to read from peb etc
>
> is there no documented and supported way to get Process Name From the
> first callback
> or limit the spew to only process name and not all the dlls , etc from
> second call back ??
>
> here is a windbg spew of the process
>
> kd> g
> KD: Accessing
> ‘C:\WinDDK\7600.16385.1\src\HelloWorld\ProcCreateMon\objfre_wxp_x86\i386\proccreatemon.sys’
> (??\C:\WINDOWS\system32\drivers\proccreatemon.sys)
> File size 3K.
> MmLoadSystemImage: Pulled
> ??\C:\WINDOWS\system32\drivers\proccreatemon.sys from kd
> ProcCreateMon Callback is being registered from proccreatemon.sys
> ProcCreateMon Callback registration Succeded from proccreatemon.sys
> LoadImageMon Callback is being registered from proccreatemon.sys
> LoadImageMon Callback registration Succeded from proccreatemon.sys
>
> Process Id 170 whose Parent Id is 478 was created
>
> Process Name is \Device\HarddiskVolume1\WINDOWS\system32\calc.exe for
> Process Id 170
> Process Name is \SystemRoot\System32\ntdll.dll for Process Id 170
>
> cut off other dlls
>
> Process Name is \WINDOWS\system32\uxtheme.dll for Process Id 170
>
> Process Id 170 whose Parent Id is 478 was Destroyed
>
>
>
>
>
>
>
>
>
>
> On 11/16/11, raj_r wrote:
>> Thanks ken i ll see if i can somehow log all processes with their
>> names and pids that are created over a period of time and compare the
>> pid wtih windbg commandline
>> one with the recent pid 0xXXXX before windbg fails to attach should
>> be the process
>>
>> is an utility like that available ready made
>>
>> pid_with_procname_logforevr.exe
>>
>> On 11/15/11, Skywing wrote:
>>> You will need to find a way to make one of those options to work.
>>> Perhaps
>>> you can debug whomever creates the failing process using child debug
>>> follow
>>> mode and arrange to be in control that way when the initial failure
>>> occurs.
>>>
>>> Note that you can look up error codes in the WDK/SDK headers, with
>>> !error
>>> in
>>> the debugger, or Err.exe (“Exchange Server Error Code Lookup Utility”).
>>>
>>> - S (Msft)
>>>
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>> Sent: Monday, November 14, 2011 7:44 PM
>>> To: Kernel Debugging Interest List
>>> Subject: Re: [windbg] finding the process which windbg cannot attach to
>>> 0xc000010a error
>>>
>>> On 11/15/11, Skywing wrote:
>>>> You cannot force attach with the user mode debugger in this case,
>>>> which may occur if the process gets terminated (could be due to any
>>>> number of application-specific reasons) before the debugger completes
>>>> the process attach.
>>>
>>> i dont know which process to attach to beforehand
>>>>
>>>
>>>> Either attach the user mode debugger beforehand, or use the kernel
>>>> debugger and configure it to break on first chance exceptions (!gflags
>>>> +soe).
>>>
>>>
>>> its a laptop that doent have comport and always having kernel debugger
>>> attached somehow isnt a possible scenerio
>>>
>>> Thanks For Replying back and your blog is the only place that somehow
>>> has
>>> a
>>> referance to the error code
>>>
>>> How I ended up in the kernel debugger while trying to get PHP and …
>>> www.nynaeve.net/?p=118
>>> 14 Apr 2007 ? The data field contains the error number. To learn more
>>> about
>>> this … Debuggee initialization failed, NTSTATUS 0xC000010A ?An
>>> attempt
>>> was …
>>>
>>> thanks and regards
>>>
>>> raj
>>>
>>>>
>>>> - S (Msft)
>>>> ________________________________________
>>>> From: xxxxx@lists.osr.com
>>>> [xxxxx@lists.osr.com]
>>>> on behalf of raj_r [xxxxx@gmail.com]
>>>> Sent: Saturday, November 12, 2011 11:28 AM
>>>> To: Kernel Debugging Interest List
>>>> Subject: [windbg] finding the process which windbg cannot attach to
>>>> 0xc000010a error
>>>>
>>>> 1) how to find which process windbg tried to attach to in this error
>>>> msg
>>>> 2) why it couldnt attach and
>>>> 3) how can i force attach to it if need be ??
>>>>
>>>>
>>>> i see some occasional msg by the AeDebugger (windbg ) like this
>>>>
>>>> cannot debug pid XXXXX ntstatus 0xc000010a
>>>> lkd> !error 0xc000010a
>>>> Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
>>>> to duplicate an object handle into or out of an exiting process.
>>>>
>>>>
>>>> how to find what process caused this ?? if i click ok on the
>>>> messagebox windbg simply quits
>>>>
>>>> i opened lkd on such instance and i list the process
>>>>
>>>> lkd> .tlist -v wind*
>>>> 0n2068 windbg.exe
>>>> Session: 0 User: MC\Admin Command Line:
>>>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
>>>> 0n2064 windbg.exe
>>>> Session: 0 User: MC\Admin Command Line:
>>>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
>>>> 0n1528 windbg.exe
>>>> Session: 0 User: MC\Admin Command Line:
>>>> “F:\windbg\612windbg\windbg.exe” -kl -Q
>>>>
>>>>
>>>> i see windbg is trying to attach to pid 2652 in this case
>>>>
>>>> i also see -e 444 and -684
>>>>
>>>> windbg help file says e is used to call debugger programatically ?
>>>>
>>>> {quote}
>>>> -e Event
>>>> Signals the debugger that the specified event has occurred. This
>>>> option is only used when starting the debugger programmatically.
>>>> {/quote}
>>>>
>>>> dumping the process details of windbg does not give a coherant stack
>>>>
>>>> lkd> !process 0n2068 f
>>>> Searching for Process with Cid == 814
>>>> Cid handle table at e3d24000 with 559 entries in use
>>>>
>>>> PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid:
>>>> 0a5c
>>>> DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
>>>> Image: windbg.exe
>>>> VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked
>>>> 0.
>>>> DeviceMap e2de19b0
>>>> Token e1614b20
>>>> ElapsedTime 00:24:30.984
>>>> UserTime 00:00:00.031
>>>>
>>>>
>>>> a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP]
>>>> [0,0,4])
>>>> a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
>>>> a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO:
>>>> [Non-Fpo])
>>>> WARNING: Frame IP not in any known module. Following frames may be
>>>> wrong.
>>>> a9836d5c 8053d658 0xbf802f45
>>>> a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
>>>> TrapFrame @ a9836d4c)
>>>> 00000001 00000000 0x3b
>>>>
>>>>
>>>> doing a .process and listing the modules dont show any module that
>>>> windbg is trying to attach
>>>>
>>>> lkd> .process /p /r 865b1828
>>>> Implicit process is now 865b1828
>>>> Loading User Symbols
>>>> …WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp
>>>> 49c4f482 …
>>>> lkd> lm
>>>> start end module name
>>>> 01000000 01097000 windbg (deferred)
>>>> 02000000 0239b000 dbgeng (deferred)
>>>> 03000000 03141000 dbghelp (deferred)
>>>> 4b400000 4b486000 MSFTEDIT (deferred)
>>>>
>>>>
>>>> the only thing that looks odd is the current directory in !peb
>>>>
>>>> CurrentDirectory: 'C:\Documents and
>>>> Settings\LocalService\Application Data\ZTE_CDMA_1X'
>>>> WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
>>>> ImageFile: ‘F:\windbg\612windbg\windbg.exe’
>>>> CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’
>>>>
>>>>
>>>> that dir doesnt sem to contain any exe
>>>>
>>>> lkd> .shell dir "C:\Documents and Settings\LocalService\Application
>>>> Data\ZTE_CDMA_1X"
>>>> <.shell waiting 1 second(s) for process> Volume in drive C has no
>>>> label.
>>>> Volume Serial Number is 9836-92E3
>>>>
>>>> Directory of C:\Documents and Settings\LocalService\Application
>>>> Data\ZTE_CDMA_1X
>>>>
>>>> 05/11/2011 09:09 .
>>>> 05/11/2011 09:09 …
>>>> 12/11/2011 23:37 287 Config.ini
>>>> 05/11/2011 09:09 157 plot.log
>>>> 2 File(s) 444 bytes
>>>> 2 Dir(s) 5,963,878,400 bytes free
>>>> .shell: Process exited
>>>> Press ENTER to continue
>>>> <.shell waiting 1 second(s) for process> <.shell process may need
>>>> input>
>>>>
>>>>
>>>> how can i eke out the process name that windbg was trying to attach to
>>>> ?
>>>>
>>>> and how to find out what event was signaled ?? that shows up in windbg
>>>> command line ?
>>>>
>>>> 1) what exe exited ?
>>>> 2)why windbg wanted to catch it ?
>>>> 3) and why it couldnt catch it ?
>>>>
>>>> befor closing down the instance i have made a dump using
>>>>
>>>> ntsd -pv -p 2068 -c “.dump /ma windbgdump.dmp;”
>>>>
>>>>
>>>>
>>>> 0:000> !analyze ;du 01071f80; du 01076280
>>>> *************************************************************
>>>>
>>>> *
>>>> *
>>>> * Exception Analysis
>>>> *
>>>> *
>>>> *
>>>> *************************************************************
>>>>
>>>>
>>>> Use !analyze -v to get detailed debugging information.
>>>>
>>>> GetPageUrlData failed, server returned HTTP status 404 URL requested:
>>>> http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0
>>>> _0_0/00000000.htm?Retriage=1 Probably caused by : windbg.exe (
>>>> windbg!TextMsgBox+78 )
>>>>
>>>> Followup: MachineOwner
>>>> ---------
>>>>
>>>> 01071f80 “Could not attach to process 2652”
>>>> 01071fc0 “, NTSTATUS 0xC000010A…An attemp”
>>>> 01072000 “t was made to duplicate an objec”
>>>> 01072040 “t handle into or out of an exiti”
>>>> 01072080 “ng process.”
>>>> 01076280 "WinDbg:6.12.0002.633 X86 "
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>

You’re not digging into the PEB here, all you’re doing is getting the 16
character name from the EPROCESS (which is exactly what
PsGetProcessImageFileName does, though that’s also undocumented and
unsupported).

-scott

–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

“raj_r” wrote in message news:xxxxx@windbg…

the pid to process name is riddled with hacks

Peb->ImageFileName
Peb ->SeAuditProcessCreationInfo ->ImageFileAnme->Name
ZwQueryProcessInformation
SectionObject and ObQuery Name
PsGet**FileName (isnt even available in latest header it seems)

i am choosing the first hack
(apart from the vagueness of rogue app masquerading as legit problem
and offsets may vary updates can kill etc not portable across os
version etc etc)

will this field contain the 16 byte name always ? or it can be null
too sometimes ?

my code as follows

#include <ntifs.h>

DRIVER_INITIALIZE DriverEntry;

DRIVER_UNLOAD DriverUnload;

VOID ProcCreateMon(
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
);

void
DriverUnload(
PDRIVER_OBJECT DriverObject
)
{
PsSetCreateProcessNotifyRoutine(ProcCreateMon, TRUE);
}

NTSTATUS
DriverEntry(
in PDRIVER_OBJECT DriverObject,
in PUNICODE_STRING RegistryPath
)
{
DriverObject->DriverUnload = DriverUnload;
PsSetCreateProcessNotifyRoutine(ProcCreateMon, FALSE);
return STATUS_SUCCESS;
}

VOID
ProcCreateMon(
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
)
{
PEPROCESS eproc =NULL;
PCHAR foo;

if(Create){
PsLookupProcessByProcessId(ProcessId,&eproc);
foo = (PCHAR)eproc+0x174;
DbgPrint(“PID %X Process Name %s\n”,ProcessId,foo);
ObDereferenceObject(eproc);
}
}

output as follows

kd> g
KD: Accessing
‘C:\WinDDK\7600.16385.1\src\HelloWorld\ProcCreateMon\objfre_wlh_x86\i386\proccreatemon.sys’
(??\C:\WINDOWS\system32\drivers\proccreatemon.sys)
File size 4K.
MmLoadSystemImage: Pulled
??\C:\WINDOWS\system32\drivers\proccreatemon.sys from kd
PID 590 Process Name cmd.exe
PID 664 Process Name calc.exe
PID 720 Process Name notepad.exe
PID 734 Process Name procexp.exe
PID 788 Process Name mspaint.exe
PID A4 Process Name svchost.exe
PID E4 Process Name netstat.exe
PID F0 Process Name ping.exe
PID 6DC Process Name tracert.exe
PID 6CC Process Name explorer.exe
watchdog!WdUpdateRecoveryState: Recovery enabled.
PID 6C4 Process Name help.exe
PID 140 Process Name wmic.exe
PID 168 Process Name wmiprvse.exe
PID 704 Process Name wmic.exe
PID 2A0 Process Name Dbgview.exe
PID 294 Process Name cmd.exe
PID 304 Process Name HxD.exe
PID 3E8 Process Name msgbox.exe

these prints are visible in targets dbgview output too

is this usable or is a surefire way to bsod

On 11/17/11, raj_r wrote:
> well i thought ill do some dbgprint app and log the dbg prints using
> debugmon so i can parse pids if the crash happened again
>
>
> but it seems PsSetCreateNotifyRoutine Retuns only PID no Name
> And PsSetLoadImageNotifyRoutine Returns too much #$%^ though it has a pid
>
> so googled to see if i can find a way to get proc name form pid
> and it seems it is full of undocumented hacks
>
> osronline has a ZwQueryInformation Process article
> some forums have some deprecated PsGetProcessNameFromFileName
> Some sites have hacks to read from peb etc
>
> is there no documented and supported way to get Process Name From the
> first callback
> or limit the spew to only process name and not all the dlls , etc from
> second call back ??
>
> here is a windbg spew of the process
>
> kd> g
> KD: Accessing
> ‘C:\WinDDK\7600.16385.1\src\HelloWorld\ProcCreateMon\objfre_wxp_x86\i386\proccreatemon.sys’
> (??\C:\WINDOWS\system32\drivers\proccreatemon.sys)
> File size 3K.
> MmLoadSystemImage: Pulled
> ??\C:\WINDOWS\system32\drivers\proccreatemon.sys from kd
> ProcCreateMon Callback is being registered from proccreatemon.sys
> ProcCreateMon Callback registration Succeded from proccreatemon.sys
> LoadImageMon Callback is being registered from proccreatemon.sys
> LoadImageMon Callback registration Succeded from proccreatemon.sys
>
> Process Id 170 whose Parent Id is 478 was created
>
> Process Name is \Device\HarddiskVolume1\WINDOWS\system32\calc.exe for
> Process Id 170
> Process Name is \SystemRoot\System32\ntdll.dll for Process Id 170
>
> cut off other dlls
>
> Process Name is \WINDOWS\system32\uxtheme.dll for Process Id 170
>
> Process Id 170 whose Parent Id is 478 was Destroyed
>
>
>
>
>
>
>
>
>
>
> On 11/16/11, raj_r wrote:
>> Thanks ken i ll see if i can somehow log all processes with their
>> names and pids that are created over a period of time and compare the
>> pid wtih windbg commandline
>> one with the recent pid 0xXXXX before windbg fails to attach should
>> be the process
>>
>> is an utility like that available ready made
>>
>> pid_with_procname_logforevr.exe
>>
>> On 11/15/11, Skywing wrote:
>>> You will need to find a way to make one of those options to work.
>>> Perhaps
>>> you can debug whomever creates the failing process using child debug
>>> follow
>>> mode and arrange to be in control that way when the initial failure
>>> occurs.
>>>
>>> Note that you can look up error codes in the WDK/SDK headers, with
>>> !error
>>> in
>>> the debugger, or Err.exe (“Exchange Server Error Code Lookup Utility”).
>>>
>>> - S (Msft)
>>>
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>> Sent: Monday, November 14, 2011 7:44 PM
>>> To: Kernel Debugging Interest List
>>> Subject: Re: [windbg] finding the process which windbg cannot attach to
>>> 0xc000010a error
>>>
>>> On 11/15/11, Skywing wrote:
>>>> You cannot force attach with the user mode debugger in this case,
>>>> which may occur if the process gets terminated (could be due to any
>>>> number of application-specific reasons) before the debugger completes
>>>> the process attach.
>>>
>>> i dont know which process to attach to beforehand
>>>>
>>>
>>>> Either attach the user mode debugger beforehand, or use the kernel
>>>> debugger and configure it to break on first chance exceptions (!gflags
>>>> +soe).
>>>
>>>
>>> its a laptop that doent have comport and always having kernel debugger
>>> attached somehow isnt a possible scenerio
>>>
>>> Thanks For Replying back and your blog is the only place that somehow
>>> has
>>> a
>>> referance to the error code
>>>
>>> How I ended up in the kernel debugger while trying to get PHP and …
>>> www.nynaeve.net/?p=118
>>> 14 Apr 2007 – The data field contains the error number. To learn more
>>> about
>>> this … Debuggee initialization failed, NTSTATUS 0xC000010A “An
>>> attempt
>>> was …
>>>
>>> thanks and regards
>>>
>>> raj
>>>
>>>>
>>>> - S (Msft)
>>>> ________________________________________
>>>> From: xxxxx@lists.osr.com
>>>> [xxxxx@lists.osr.com]
>>>> on behalf of raj_r [xxxxx@gmail.com]
>>>> Sent: Saturday, November 12, 2011 11:28 AM
>>>> To: Kernel Debugging Interest List
>>>> Subject: [windbg] finding the process which windbg cannot attach to
>>>> 0xc000010a error
>>>>
>>>> 1) how to find which process windbg tried to attach to in this error
>>>> msg
>>>> 2) why it couldnt attach and
>>>> 3) how can i force attach to it if need be ??
>>>>
>>>>
>>>> i see some occasional msg by the AeDebugger (windbg ) like this
>>>>
>>>> cannot debug pid XXXXX ntstatus 0xc000010a
>>>> lkd> !error 0xc000010a
>>>> Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
>>>> to duplicate an object handle into or out of an exiting process.
>>>>
>>>>
>>>> how to find what process caused this ?? if i click ok on the
>>>> messagebox windbg simply quits
>>>>
>>>> i opened lkd on such instance and i list the process
>>>>
>>>> lkd> .tlist -v wind*
>>>> 0n2068 windbg.exe
>>>> Session: 0 User: MC\Admin Command Line:
>>>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
>>>> 0n2064 windbg.exe
>>>> Session: 0 User: MC\Admin Command Line:
>>>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
>>>> 0n1528 windbg.exe
>>>> Session: 0 User: MC\Admin Command Line:
>>>> “F:\windbg\612windbg\windbg.exe” -kl -Q
>>>>
>>>>
>>>> i see windbg is trying to attach to pid 2652 in this case
>>>>
>>>> i also see -e 444 and -684
>>>>
>>>> windbg help file says e is used to call debugger programatically ?
>>>>
>>>> {quote}
>>>> -e Event
>>>> Signals the debugger that the specified event has occurred. This
>>>> option is only used when starting the debugger programmatically.
>>>> {/quote}
>>>>
>>>> dumping the process details of windbg does not give a coherant stack
>>>>
>>>> lkd> !process 0n2068 f
>>>> Searching for Process with Cid == 814
>>>> Cid handle table at e3d24000 with 559 entries in use
>>>>
>>>> PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid:
>>>> 0a5c
>>>> DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
>>>> Image: windbg.exe
>>>> VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked
>>>> 0.
>>>> DeviceMap e2de19b0
>>>> Token e1614b20
>>>> ElapsedTime 00:24:30.984
>>>> UserTime 00:00:00.031
>>>>
>>>>
>>>> a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP]
>>>> [0,0,4])
>>>> a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
>>>> a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO:
>>>> [Non-Fpo])
>>>> WARNING: Frame IP not in any known module. Following frames may be
>>>> wrong.
>>>> a9836d5c 8053d658 0xbf802f45
>>>> a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
>>>> TrapFrame @ a9836d4c)
>>>> 00000001 00000000 0x3b
>>>>
>>>>
>>>> doing a .process and listing the modules dont show any module that
>>>> windbg is trying to attach
>>>>
>>>> lkd> .process /p /r 865b1828
>>>> Implicit process is now 865b1828
>>>> Loading User Symbols
>>>> …WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp
>>>> 49c4f482 …
>>>> lkd> lm
>>>> start end module name
>>>> 01000000 01097000 windbg (deferred)
>>>> 02000000 0239b000 dbgeng (deferred)
>>>> 03000000 03141000 dbghelp (deferred)
>>>> 4b400000 4b486000 MSFTEDIT (deferred)
>>>>
>>>>
>>>> the only thing that looks odd is the current directory in !peb
>>>>
>>>> CurrentDirectory: 'C:\Documents and
>>>> Settings\LocalService\Application Data\ZTE_CDMA_1X'
>>>> WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
>>>> ImageFile: ‘F:\windbg\612windbg\windbg.exe’
>>>> CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’
>>>>
>>>>
>>>> that dir doesnt sem to contain any exe
>>>>
>>>> lkd> .shell dir "C:\Documents and Settings\LocalService\Application
>>>> Data\ZTE_CDMA_1X"
>>>> <.shell waiting 1 second(s) for process> Volume in drive C has no
>>>> label.
>>>> Volume Serial Number is 9836-92E3
>>>>
>>>> Directory of C:\Documents and Settings\LocalService\Application
>>>> Data\ZTE_CDMA_1X
>>>>
>>>> 05/11/2011 09:09 .
>>>> 05/11/2011 09:09 …
>>>> 12/11/2011 23:37 287 Config.ini
>>>> 05/11/2011 09:09 157 plot.log
>>>> 2 File(s) 444 bytes
>>>> 2 Dir(s) 5,963,878,400 bytes free
>>>> .shell: Process exited
>>>> Press ENTER to continue
>>>> <.shell waiting 1 second(s) for process> <.shell process may need
>>>> input>
>>>>
>>>>
>>>> how can i eke out the process name that windbg was trying to attach to
>>>> ?
>>>>
>>>> and how to find out what event was signaled ?? that shows up in windbg
>>>> command line ?
>>>>
>>>> 1) what exe exited ?
>>>> 2)why windbg wanted to catch it ?
>>>> 3) and why it couldnt catch it ?
>>>>
>>>> befor closing down the instance i have made a dump using
>>>>
>>>> ntsd -pv -p 2068 -c “.dump /ma windbgdump.dmp;”
>>>>
>>>>
>>>>
>>>> 0:000> !analyze ;du 01071f80; du 01076280
>>>> *************************************************************
>>>>
>>>> *
>>>> *
>>>> * Exception Analysis
>>>> *
>>>> *
>>>> *
>>>> *************************************************************
>>>>
>>>>
>>>> Use !analyze -v to get detailed debugging information.
>>>>
>>>> GetPageUrlData failed, server returned HTTP status 404 URL requested:
>>>> http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0
>>>> _0_0/00000000.htm?Retriage=1 Probably caused by : windbg.exe (
>>>> windbg!TextMsgBox+78 )
>>>>
>>>> Followup: MachineOwner
>>>> ---------
>>>>
>>>> 01071f80 “Could not attach to process 2652”
>>>> 01071fc0 “, NTSTATUS 0xC000010A…An attemp”
>>>> 01072000 “t was made to duplicate an objec”
>>>> 01072040 “t handle into or out of an exiti”
>>>> 01072080 “ng process.”
>>>> 01076280 "WinDbg:6.12.0002.633 X86 "
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>

thanks scott

i disassembled them and saw the implementation so i chose it

the code seems to be working till now hope i catch the culprit

lkd> x *!Ps*get*File*
8052779c nt!PsGetProcessImageFileName =
a8f65056 mrxdav!PsGetProcessImageFileName =
lkd> uf 8052779c
nt!PsGetProcessImageFileName:
8052779c 8bff mov edi,edi
8052779e 55 push ebp
8052779f 8bec mov ebp,esp
805277a1 8b4508 mov eax,dword ptr [ebp+8]
805277a4 0574010000 add eax,174h
805277a9 5d pop ebp
805277aa c20400 ret 4
lkd> uf a8f65056
nt!PsGetProcessImageFileName:
8052779c 8bff mov edi,edi
8052779e 55 push ebp
8052779f 8bec mov ebp,esp
805277a1 8b4508 mov eax,dword ptr [ebp+8]
805277a4 0574010000 add eax,174h
805277a9 5d pop ebp
805277aa c20400 ret 4

mrxdav!PsGetProcessImageFileName:
a8f65056 ff25d0aaf6a8 jmp dword ptr
[mrxdav!imp__PsGetProcessImageFileName (a8f6aad0)]
lkd> dps a8f6aad0 l1
a8f6aad0 8052779c nt!PsGetProcessImageFileName

thanks and regards

raj_r

On 11/18/11, Scott Noone wrote:
> You’re not digging into the PEB here, all you’re doing is getting the 16
> character name from the EPROCESS (which is exactly what
> PsGetProcessImageFileName does, though that’s also undocumented and
> unsupported).
>
> -scott
>
> –
> Scott Noone
> Consulting Associate and Chief System Problem Analyst
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
> “raj_r” wrote in message news:xxxxx@windbg…
>
> the pid to process name is riddled with hacks
>
> Peb->ImageFileName
> Peb ->SeAuditProcessCreationInfo ->ImageFileAnme->Name
> ZwQueryProcessInformation
> SectionObject and ObQuery Name
> PsGet**FileName (isnt even available in latest header it seems)
>
> i am choosing the first hack
> (apart from the vagueness of rogue app masquerading as legit problem
> and offsets may vary updates can kill etc not portable across os
> version etc etc)
>
> will this field contain the 16 byte name always ? or it can be null
> too sometimes ?
>
> my code as follows
>
> #include <ntifs.h>
>
> DRIVER_INITIALIZE DriverEntry;
>
> DRIVER_UNLOAD DriverUnload;
>
> VOID ProcCreateMon(
> IN HANDLE ParentId,
> IN HANDLE ProcessId,
> IN BOOLEAN Create
> );
>
> void
> DriverUnload(
> PDRIVER_OBJECT DriverObject
> )
> {
> PsSetCreateProcessNotifyRoutine(ProcCreateMon, TRUE);
> }
>
> NTSTATUS
> DriverEntry(
>__in PDRIVER_OBJECT DriverObject,
> __in PUNICODE_STRING RegistryPath
> )
> {
> DriverObject->DriverUnload = DriverUnload;
> PsSetCreateProcessNotifyRoutine(ProcCreateMon, FALSE);
> return STATUS_SUCCESS;
> }
>
>
> VOID
> ProcCreateMon(
> IN HANDLE ParentId,
> IN HANDLE ProcessId,
> IN BOOLEAN Create
> )
> {
> PEPROCESS eproc =NULL;
> PCHAR foo;
>
> if(Create){
> PsLookupProcessByProcessId(ProcessId,&eproc);
> foo = (PCHAR)eproc+0x174;
> DbgPrint(“PID %X Process Name %s\n”,ProcessId,foo);
> ObDereferenceObject(eproc);
> }
> }
>
>
> output as follows
>
>
> kd> g
> KD: Accessing
> ‘C:\WinDDK\7600.16385.1\src\HelloWorld\ProcCreateMon\objfre_wlh_x86\i386\proccreatemon.sys’
> (??\C:\WINDOWS\system32\drivers\proccreatemon.sys)
> File size 4K.
> MmLoadSystemImage: Pulled
> ??\C:\WINDOWS\system32\drivers\proccreatemon.sys from kd
> PID 590 Process Name cmd.exe
> PID 664 Process Name calc.exe
> PID 720 Process Name notepad.exe
> PID 734 Process Name procexp.exe
> PID 788 Process Name mspaint.exe
> PID A4 Process Name svchost.exe
> PID E4 Process Name netstat.exe
> PID F0 Process Name ping.exe
> PID 6DC Process Name tracert.exe
> PID 6CC Process Name explorer.exe
> watchdog!WdUpdateRecoveryState: Recovery enabled.
> PID 6C4 Process Name help.exe
> PID 140 Process Name wmic.exe
> PID 168 Process Name wmiprvse.exe
> PID 704 Process Name wmic.exe
> PID 2A0 Process Name Dbgview.exe
> PID 294 Process Name cmd.exe
> PID 304 Process Name HxD.exe
> PID 3E8 Process Name msgbox.exe
>
>
> these prints are visible in targets dbgview output too
>
> is this usable or is a surefire way to bsod
>
>
>
>
>
>
>
>
>
> On 11/17/11, raj_r wrote:
>> well i thought ill do some dbgprint app and log the dbg prints using
>> debugmon so i can parse pids if the crash happened again
>>
>>
>> but it seems PsSetCreateNotifyRoutine Retuns only PID no Name
>> And PsSetLoadImageNotifyRoutine Returns too much #$%^ though it has a pid
>>
>> so googled to see if i can find a way to get proc name form pid
>> and it seems it is full of undocumented hacks
>>
>> osronline has a ZwQueryInformation Process article
>> some forums have some deprecated PsGetProcessNameFromFileName
>> Some sites have hacks to read from peb etc
>>
>> is there no documented and supported way to get Process Name From the
>> first callback
>> or limit the spew to only process name and not all the dlls , etc from
>> second call back ??
>>
>> here is a windbg spew of the process
>>
>> kd> g
>> KD: Accessing
>> ‘C:\WinDDK\7600.16385.1\src\HelloWorld\ProcCreateMon\objfre_wxp_x86\i386\proccreatemon.sys’
>> (??\C:\WINDOWS\system32\drivers\proccreatemon.sys)
>> File size 3K.
>> MmLoadSystemImage: Pulled
>> ??\C:\WINDOWS\system32\drivers\proccreatemon.sys from kd
>> ProcCreateMon Callback is being registered from proccreatemon.sys
>> ProcCreateMon Callback registration Succeded from proccreatemon.sys
>> LoadImageMon Callback is being registered from proccreatemon.sys
>> LoadImageMon Callback registration Succeded from proccreatemon.sys
>>
>> Process Id 170 whose Parent Id is 478 was created
>>
>> Process Name is \Device\HarddiskVolume1\WINDOWS\system32\calc.exe for
>> Process Id 170
>> Process Name is \SystemRoot\System32\ntdll.dll for Process Id 170
>>
>> cut off other dlls
>>
>> Process Name is \WINDOWS\system32\uxtheme.dll for Process Id 170
>>
>> Process Id 170 whose Parent Id is 478 was Destroyed
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 11/16/11, raj_r wrote:
>>> Thanks ken i ll see if i can somehow log all processes with their
>>> names and pids that are created over a period of time and compare the
>>> pid wtih windbg commandline
>>> one with the recent pid 0xXXXX before windbg fails to attach should
>>> be the process
>>>
>>> is an utility like that available ready made
>>>
>>> pid_with_procname_logforevr.exe
>>>
>>> On 11/15/11, Skywing wrote:
>>>> You will need to find a way to make one of those options to work.
>>>> Perhaps
>>>> you can debug whomever creates the failing process using child debug
>>>> follow
>>>> mode and arrange to be in control that way when the initial failure
>>>> occurs.
>>>>
>>>> Note that you can look up error codes in the WDK/SDK headers, with
>>>> !error
>>>> in
>>>> the debugger, or Err.exe (“Exchange Server Error Code Lookup Utility”).
>>>>
>>>> - S (Msft)
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com
>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>>>> Sent: Monday, November 14, 2011 7:44 PM
>>>> To: Kernel Debugging Interest List
>>>> Subject: Re: [windbg] finding the process which windbg cannot attach to
>>>> 0xc000010a error
>>>>
>>>> On 11/15/11, Skywing wrote:
>>>>> You cannot force attach with the user mode debugger in this case,
>>>>> which may occur if the process gets terminated (could be due to any
>>>>> number of application-specific reasons) before the debugger completes
>>>>> the process attach.
>>>>
>>>> i dont know which process to attach to beforehand
>>>>>
>>>>
>>>>> Either attach the user mode debugger beforehand, or use the kernel
>>>>> debugger and configure it to break on first chance exceptions (!gflags
>>>>> +soe).
>>>>
>>>>
>>>> its a laptop that doent have comport and always having kernel debugger
>>>> attached somehow isnt a possible scenerio
>>>>
>>>> Thanks For Replying back and your blog is the only place that somehow
>>>> has
>>>> a
>>>> referance to the error code
>>>>
>>>> How I ended up in the kernel debugger while trying to get PHP and …
>>>> www.nynaeve.net/?p=118
>>>> 14 Apr 2007 ? The data field contains the error number. To learn more
>>>> about
>>>> this … Debuggee initialization failed, NTSTATUS 0xC000010A ?An
>>>> attempt
>>>> was …
>>>>
>>>> thanks and regards
>>>>
>>>> raj
>>>>
>>>>>
>>>>> - S (Msft)
>>>>>_______________________________________
>>>>> From: xxxxx@lists.osr.com
>>>>> [xxxxx@lists.osr.com]
>>>>> on behalf of raj_r [xxxxx@gmail.com]
>>>>> Sent: Saturday, November 12, 2011 11:28 AM
>>>>> To: Kernel Debugging Interest List
>>>>> Subject: [windbg] finding the process which windbg cannot attach to
>>>>> 0xc000010a error
>>>>>
>>>>> 1) how to find which process windbg tried to attach to in this error
>>>>> msg
>>>>> 2) why it couldnt attach and
>>>>> 3) how can i force attach to it if need be ??
>>>>>
>>>>>
>>>>> i see some occasional msg by the AeDebugger (windbg ) like this
>>>>>
>>>>> cannot debug pid XXXXX ntstatus 0xc000010a
>>>>> lkd> !error 0xc000010a
>>>>> Error code: (NTSTATUS) 0xc000010a (3221225738) - An attempt was made
>>>>> to duplicate an object handle into or out of an exiting process.
>>>>>
>>>>>
>>>>> how to find what process caused this ?? if i click ok on the
>>>>> messagebox windbg simply quits
>>>>>
>>>>> i opened lkd on such instance and i list the process
>>>>>
>>>>> lkd> .tlist -v wind*
>>>>> 0n2068 windbg.exe
>>>>> Session: 0 User: MC\Admin Command Line:
>>>>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g
>>>>> 0n2064 windbg.exe
>>>>> Session: 0 User: MC\Admin Command Line:
>>>>> “F:\windbg\612windbg\windbg.exe” -p 2652 -e 684 -g
>>>>> 0n1528 windbg.exe
>>>>> Session: 0 User: MC\Admin Command Line:
>>>>> “F:\windbg\612windbg\windbg.exe” -kl -Q
>>>>>
>>>>>
>>>>> i see windbg is trying to attach to pid 2652 in this case
>>>>>
>>>>> i also see -e 444 and -684
>>>>>
>>>>> windbg help file says e is used to call debugger programatically ?
>>>>>
>>>>> {quote}
>>>>> -e Event
>>>>> Signals the debugger that the specified event has occurred. This
>>>>> option is only used when starting the debugger programmatically.
>>>>> {/quote}
>>>>>
>>>>> dumping the process details of windbg does not give a coherant stack
>>>>>
>>>>> lkd> !process 0n2068 f
>>>>> Searching for Process with Cid == 814
>>>>> Cid handle table at e3d24000 with 559 entries in use
>>>>>
>>>>> PROCESS 865b1828 SessionId: 0 Cid: 0814 Peb: 7ffdb000 ParentCid:
>>>>> 0a5c
>>>>> DirBase: 0fdc0420 ObjectTable: e114a4d0 HandleCount: 67.
>>>>> Image: windbg.exe
>>>>> VadRoot 85f91888 Vads 71 Clone 0 Private 276. Modified 19. Locked
>>>>> 0.
>>>>> DeviceMap e2de19b0
>>>>> Token e1614b20
>>>>> ElapsedTime 00:24:30.984
>>>>> UserTime 00:00:00.031
>>>>>
>>>>>
>>>>> a9836cc8 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP]
>>>>> [0,0,4])
>>>>> a9836cd4 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
>>>>> a9836cfc bf802f45 nt!KeWaitForSingleObject+0x1c2 (FPO:
>>>>> [Non-Fpo])
>>>>> WARNING: Frame IP not in any known module. Following frames may be
>>>>> wrong.
>>>>> a9836d5c 8053d658 0xbf802f45
>>>>> a9836d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0]
>>>>> TrapFrame @ a9836d4c)
>>>>> 00000001 00000000 0x3b
>>>>>
>>>>>
>>>>> doing a .process and listing the modules dont show any module that
>>>>> windbg is trying to attach
>>>>>
>>>>> lkd> .process /p /r 865b1828
>>>>> Implicit process is now 865b1828
>>>>> Loading User Symbols
>>>>> …WARNING: Loader 001a1f18 timestamp 00000000 != header timestamp
>>>>> 49c4f482 …
>>>>> lkd> lm
>>>>> start end module name
>>>>> 01000000 01097000 windbg (deferred)
>>>>> 02000000 0239b000 dbgeng (deferred)
>>>>> 03000000 03141000 dbghelp (deferred)
>>>>> 4b400000 4b486000 MSFTEDIT (deferred)
>>>>>
>>>>>
>>>>> the only thing that looks odd is the current directory in !peb
>>>>>
>>>>> CurrentDirectory: 'C:\Documents and
>>>>> Settings\LocalService\Application Data\ZTE_CDMA_1X'
>>>>> WindowTitle: ‘F:\windbg\612windbg\windbg.exe’
>>>>> ImageFile: ‘F:\windbg\612windbg\windbg.exe’
>>>>> CommandLine: ‘“F:\windbg\612windbg\windbg.exe” -p 2652 -e 444 -g’
>>>>>
>>>>>
>>>>> that dir doesnt sem to contain any exe
>>>>>
>>>>> lkd> .shell dir "C:\Documents and Settings\LocalService\Application
>>>>> Data\ZTE_CDMA_1X"
>>>>> <.shell waiting 1 second(s) for process> Volume in drive C has no
>>>>> label.
>>>>> Volume Serial Number is 9836-92E3
>>>>>
>>>>> Directory of C:\Documents and Settings\LocalService\Application
>>>>> Data\ZTE_CDMA_1X
>>>>>
>>>>> 05/11/2011 09:09 .
>>>>> 05/11/2011 09:09 …
>>>>> 12/11/2011 23:37 287 Config.ini
>>>>> 05/11/2011 09:09 157 plot.log
>>>>> 2 File(s) 444 bytes
>>>>> 2 Dir(s) 5,963,878,400 bytes free
>>>>> .shell: Process exited
>>>>> Press ENTER to continue
>>>>> <.shell waiting 1 second(s) for process> <.shell process may need
>>>>> input>
>>>>>
>>>>>
>>>>> how can i eke out the process name that windbg was trying to attach to
>>>>> ?
>>>>>
>>>>> and how to find out what event was signaled ?? that shows up in windbg
>>>>> command line ?
>>>>>
>>>>> 1) what exe exited ?
>>>>> 2)why windbg wanted to catch it ?
>>>>> 3) and why it couldnt catch it ?
>>>>>
>>>>> befor closing down the instance i have made a dump using
>>>>>
>>>>> ntsd -pv -p 2068 -c “.dump /ma windbgdump.dmp;”
>>>>>
>>>>>
>>>>>
>>>>> 0:000> !analyze ;du 01071f80; du 01076280
>>>>>**************
>>>>>
>>>>>
>>>>>
>>>>> * Exception Analysis
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *********
>>>>>
>>>>> Use !analyze -v to get detailed debugging information.
>>>>>
>>>>> GetPageUrlData failed, server returned HTTP status 404 URL requested:
>>>>> http://watson.microsoft.com/StageOne/windbg_exe/6_12_2_633/unknown/0_0
>>>>> _0_0/00000000.htm?Retriage=1 Probably caused by : windbg.exe (
>>>>> windbg!TextMsgBox+78 )
>>>>>
>>>>> Followup: MachineOwner
>>>>> ---------
>>>>>
>>>>> 01071f80 “Could not attach to process 2652”
>>>>> 01071fc0 “, NTSTATUS 0xC000010A…An attemp”
>>>>> 01072000 “t was made to duplicate an objec”
>>>>> 01072040 “t handle into or out of an exiti”
>>>>> 01072080 “ng process.”
>>>>> 01076280 "WinDbg:6.12.0002.633 X86 "
>>>>>
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>> —
>>>>> WINDBG is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>> —
>>>> WINDBG is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>