symchk: Strange manifest file?

Hi everyone,

So I have a situation where I need to transfer .PDB files over to an airgapped test machine. I found from here that you can use symchk /om to first create a manifest file, and then symchk /im to download the corresponding .PDB files.

However, it seems that whever I try to follow the following guide from OSR, I always get the following output:

C:\Users\Maxim\Documents\w10>symchk /om manifest.w10 /ie ntoskrnl.exe /s c:\users\Maxim\Documents\w10\empty
SYMCHK: ntoskrnl.exe         FAILED  - ntkrnlmp.pdb mismatched or not found
SYMCHK: hal.dll              FAILED  - hal.pdb mismatched or not found
SYMCHK: kd.dll               FAILED  - kd.pdb mismatched or not found
SYMCHK: mcupdate_AuthenticAMD.dll FAILED  - mcupdate_AuthenticAMD.pdb mismatched or not found
SYMCHK: msrpc.sys            FAILED  - msrpc.pdb mismatched or not found
SYMCHK: ksecdd.sys           FAILED  - ksecdd.pdb mismatched or not found
SYMCHK: werkernel.sys        FAILED  - WerKernel.pdb mismatched or not found
SYMCHK: clfs.sys             FAILED  - clfs.pdb mismatched or not found
SYMCHK: tm.sys               FAILED  - tm.pdb mismatched or not found
SYMCHK: PSHED.DLL            FAILED  - pshed.pdb mismatched or not found
...
SYMCHK: FAILED files = 195
SYMCHK: PASSED + IGNORED files = 0

The manifest looks like this:

C:\Users\Maxim\Documents\w10>type manifest.w10
ntoskrnl.exe,00,2
hal.dll,00,2
kd.dll,00,2
mcupdate_AuthenticAMD.dll,00,2
msrpc.sys,00,2
ksecdd.sys,00,2
werkernel.sys,00,2
clfs.sys,00,2
tm.sys,00,2
PSHED.DLL,00,2
...

Consequently when I try to then fetch the files, I get symchk complaining:

C:\Users\Maxim\Documents\w10>symchk /im manifest.w10 /s SRV*c:\users\Maxim\Documents\w10\empty*http://msdl.microsoft.com/download/symbols
SYMCHK: ntoskrnl.exe         ERROR - Unable to download file. Error reported was 2
SYMCHK: hal.dll              ERROR - Unable to download file. Error reported was 2
SYMCHK: kd.dll               ERROR - Unable to download file. Error reported was 2
SYMCHK: mcupdate_AuthenticAMD.dll ERROR - Unable to download file. Error reported was 2
SYMCHK: msrpc.sys            ERROR - Unable to download file. Error reported was 2
SYMCHK: ksecdd.sys           ERROR - Unable to download file. Error reported was 2
SYMCHK: werkernel.sys        ERROR - Unable to download file. Error reported was 2
SYMCHK: clfs.sys             ERROR - Unable to download file. Error reported was 2
SYMCHK: tm.sys               ERROR - Unable to download file. Error reported was 2
SYMCHK: PSHED.DLL            ERROR - Unable to download file. Error reported was 2
...

Could someone suggest as to what mistake I’m making? The zeroes in the manifest file look rather suspicious, because I tried with an older tool on Win XP, and evidently that’s where the checksum is supposed to go.

If the machine is airgapped, how can it download the symbols from the manifest?

If you have run windbg and loaded symbols on a networked machine, why not just copy the whole symbol directory over to a USB drive and transfer it to the airgapped machine?

@Tim_Roberts said:
If the machine is airgapped, how can it download the symbols from the manifest?

If you have run windbg and loaded symbols on a networked machine, why not just copy the whole symbol directory over to a USB drive and transfer it to the airgapped machine?

Well, ive got three machines: A, B, and C. A is connected to network, B and C are not. Machine B is my development machine, on which I want to launch WinDbg… and attach to machine C, the test machine.

I want to get PDBs that correspond to the binaries running on C, and then have them available to machine B so that I get sane view in WinDbg.

So I want to retrieve a list of PDBs that correspond to the binaries running on C. I believe symchk does that by giving me a manifest. I then get that manifest onto machine A via USB stick, and fetch those exact PDBs. Then I copy them over to machine B for WinDbg.

I can reproduce this behavior and SymChk is definitely broken. If you turn on verbose logging it’s coming up with a PDB signature value of zero and that’s not helpful…Worst part is that it does get the value correctly earlier in the output, but when it outputs the summary it shows zero.

The bug appears to be in symbolcheck.dll. In the name of science I grabbed a much older copy of that DLL from the Win7 SP1 WDK and replaced the one in the latest installation. Now when I run the command line I get proper manifest output. For example:

ntkrnlmp.pdb,0A0AB369CCAF2C2B44D37A82A8E6C16D1,1
ntoskrnl.exe,4ff75719ab7000,1
hal.pdb,F3383972E53BCF4212FB0F57D47870AF1,1
hal.dll,5c190592a4000,1

That might be a temporary workaround until this is fixed.