Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


On redstone 3 kd: !process 0 0 returns "NT symbols are incorrect"

Test_AccountTest_Account Member - All Emails Posts: 2
I used to be able to do "!process 0 0" to list all the processes in the kernel debugging connection.

However, on redstone 3 kd session, I notice that I cannot do !process command anymore. Any idea about how to solve this issue? Thanks!

0: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
NT symbols are incorrect, please fix symbols

0: kd> lml
start end module name
8100c000 8168d000 nt (export symbols) ntkrpamp.exe
8168d000 816f1000 hal (private pdb symbols) c:\websymbols\halmacpi.pdb\DA0B57721D0A24B26129B847A7978DA31\halmacpi.pdb
...

0: kd> kn
# ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00 803faa1c 810e9f5d nt!DbgBreakPointWithStatus+0x4
01 803faa40 810e80d2 nt!KeClockInterruptNotify+0x7dd
02 803faa90 810e986f nt!KeEnumerateNextProcessor+0x972
03 803faaf0 81694ddd nt!KeClockInterruptNotify+0xef
04 803fab00 816a572b hal!HalpTimerClockInterruptCommon+0x3f
05 803fab00 8115d62e hal!HalpTimerClockInterrupt+0x1f7
06 803fac08 00000000 nt!KiDispatchInterrupt+0x63e

0: kd> .sympath
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;srv*

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,352
    You're missing the symbols for NT, might be another case of the symbols not
    being on the symbol server yet. What does the following say:

    !sym noisy
    .reload

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • aluhrsaluhrs Member - All Emails Posts: 32
    Please share the output Scott asked for and 'lmvm nt'. I'm already chasing one report of this, just want to make sure you're reporting the same version.
  • Test_AccountTest_Account Member - All Emails Posts: 2
    Sorry for answering late. Actually the issue resolved itself recently without any changes from my side. Probably the symbols are now uploaded to the symbol servers...
  • Johnny_ShawJohnny_Shaw Member Posts: 24
    I'm running into similar issues, I've been reverting my Win10 VM to a previous build to work around it. I even tried downloading the 1709 symbol package online and clearing out the problematic nt symbol from my local symstore. Hoping to get some help or see if someone else is having similar problems:


    0: kd> !process 0 0
    **** NT ACTIVE PROCESS DUMP ****
    Unable to read _LIST_ENTRY @ fffff8013f546fe0
    0: kd> .reload
    Connected to Windows 10 15063 x64 target at (Mon Oct 23 06:59:53.413 2017 (UTC - 6:00)), ptr64 TRUE
    SYMSRV: BYINDEX: 0xC
    c:\symbols\*https://msdl.microsoft.com/download/symbols
    ntkrnlmp.pdb
    10F6DCB09D604445B05C70106B9824CB1
    SYMSRV: PATH: c:\symbols\ntkrnlmp.pdb\10F6DCB09D604445B05C70106B9824CB1\ntkrnlmp.pdb
    SYMSRV: RESULT: 0x00000000

    DBGHELP: nt - public symbols
    c:\symbols\ntkrnlmp.pdb\10F6DCB09D604445B05C70106B9824CB1\ntkrnlmp.pdb
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ....................................................
    Loading User Symbols

    Loading unloaded module list
    ..........
    SYMSRV: BYINDEX: 0xD
    c:\symbols\*https://msdl.microsoft.com/download/symbols
    kdnic.pdb
    17C6A06774CE93A2F41FCF995ADB0DA41
    SYMSRV: PATH: c:\symbols\kdnic.pdb\17C6A06774CE93A2F41FCF995ADB0DA41\kdnic.pdb
    SYMSRV: RESULT: 0x00000000

    DBGHELP: kdnic - public symbols
    c:\symbols\kdnic.pdb\17C6A06774CE93A2F41FCF995ADB0DA41\kdnic.pdb

    ************* Symbol Loading Error Summary **************
    Module name Error
    SharedUserData No error - symbol load deferred
    Symbol loading has been deferred because this symbol is not needed
    at this time. Use reload /f to force load symbols.


    0: kd> lmvm nt
    Browse full module list
    start end module name
    fffff801`3f201000 fffff801`3fa8a000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\10F6DCB09D604445B05C70106B9824CB1\ntkrnlmp.pdb
    Loaded symbol image file: ntkrnlmp.exe
    Image path: ntkrnlmp.exe
    Image name: ntkrnlmp.exe
    Browse all global symbols functions data
    Timestamp: Fri Sep 29 01:20:26 2017 (59CDF43A)
    CheckSum: 007F2F34
    ImageSize: 00889000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE