Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Win 7 64 bit symbols not found
Carlo_Cianfarani
Member Posts: 240
Hi, I'm stuck with loading symbols in WinDbg for Win 7 64 bit using microsoft symbols server:
lkd> !sym noisy
noisy mode - symbol prompts on
lkd> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: cache;SRVhttp://msdl.microsoft.com/download/symbols
lkd> .reload
Connected to Windows 7 7601 x64 target at (Thu Sep 28 16:33:18.421 2023 (UTC + 2:00)), ptr64 TRUE
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb not found
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols: not available
DBGHELP: ntkrnlmp.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
DBGHELP: nt - export symbols
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
................................................................
....................
Loading unloaded module list
......
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb not found
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols: not available
DBGHELP: ntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
DBGHELP: ntdll - export symbols
Can you help me ? Thank you.
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 13-17 May 2024 | Live, Online |
| Developing Minifilters | 1-5 Apr 2024 | Live, Online |
| Internals & Software Drivers | 11-15 Mar 2024 | Live, Online |
| Writing WDF Drivers | 26 Feb - 1 Mar 2024 | Live, Online |
Comments
That seems like you can't reach the symbol server at all?
-scott
OSR
My Win 7 PC is behind a proxy server. However I'm able to open an IE page to the microsoft symbols server URL (viewing their certificates and so on...). IE browser uses system-defined proxy server.
From Windbg I get this error:
SYMSRV: error 0x2f19
I don't know if it is a networking issue or the symbol server simply does not have the required PDB files.
Sounds like Windbg doesn't.
I just skimmed it but it looks like this) might help
I believe SymSrv is actually able to access the symbol server since I am prompted for proxy credentials and I see the certificate exchange.
lkd> !symsrv close
symbol server client has been closed
lkd> !sym prompts
noisy mode - symbol prompts on
lkd> .reload
Connected to Windows 7 7601 x64 target at (Fri Sep 29 11:35:25.294 2023 (UTC + 2:00)), ptr64 TRUE
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb not found
SYMSRV: WinInet Interface using proxy server: https=192.168.200.4:8080 **http=192.168.200.4:80 ftp=192.168.200.4:80
**SYMSRV: error 0x2f19
SYMSRV: error 0x2f19
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/90A825EBE124425398C40A24AD0F9F662/ntkrnlmp.pdb not found
DBGHELP: ntkrnlmp.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
DBGHELP: nt - export symbols
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
................................................................
....................
Loading unloaded module list
......
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb not found
SYMSRV: error 0x2f19
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntdll.pdb/D7B2123090454025A8BF3FCFD849CF0A2/ntdll.pdb not found
DBGHELP: ntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
DBGHELP: ntdll - export symbols
Way past my skillset now but I'll note that
http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/90A825EBE124425398C40A24AD0F9F662/ntkrnlmp.pdb
resolves just fine for me, So I'm saying "networking".
Rod you're right. I fixed it by manually downloading the pdb symbols files for ntkrnlmp e ntdll from the same PC (using IE behind the proxy).
I don't know why Symsrv can't connect to the symbol server behind the proxy...
Digging into Cache manger implementation using Windbg lkd, I can't find some of the Cc kernel variables such as nt!CcVacbs and nt!CcNumberVacbs.
Is that expected ? Thank you.
lkd> .reload
Connected to Windows 7 7601 x64 target at (Mon Oct 2 13:07:06.249 2023 (UTC + 2:00)), ptr64 TRUE
DBGHELP: nt - public symbols
C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
................................................................
....................
Loading unloaded module list
.......
DBGHELP: ntdll - public symbols
C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb
...............
lkd> x nt!CcVacbs
lkd> x nt!CcNumberVacbs
lkd> x nt!CcVacbFreeList
fffff800`0288d8b0 nt!CcVacbFreeList = <no type information>>
I'd imagine that they are stripped. I don't see them for Win11.
Remember Windows is not an open source project.....
Another point: it seems the command register (r) does not work in local kernel debugging (lkd):
lkd> r eax
^ Bad register error in 'r eax'
lkd> r rax
^ Bad register error in 'r rax'
Is that expected ? Thank you.
It never worked. The registers are only available when the target is stopped, and local kernel debugging can't stop the system.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.