Windows 10 Kernel Symbols Not Available?

Hi,

I’m trying to analyze a Windows 10 Crash dump and I’m getting:

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -

My symbols were working a couple of days ago. I noticed my Kernel was recently updated to build 14393 and the kernel symbols haven’t been working since. I don’t think it’s a problem with my symbol path, which is: srv*c:\symbols*https://msdl.microsoft.com/download/symbols

When I reload with !sym noisy I get HTTP_STATUS_NOT_FOUND for ntkrnlmp.pdb. Any ideas what’s wrong? Appreciate any help.

Can you tell me the exact build number (Settings->system->about) and give the output of a noisy symbol load when trying to load ntkrnlmp.pdb?

I’ve had lots of problems with symbols over the last few days.
It’s regularly slow pulling them from the symbol server, and occasionally it
fails to pull them entirely. If I leave it for a while and retry, it works
again.

When it goes down I’m unable to work, so I’ve resorted to keeping an offline
cache as it’s too unreliable at the moment.

It was down a few months ago for over a week. Are MS losing interest in
keeping this service reliable?

Ged.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: 11 November 2016 17:08
To: Kernel Debugging Interest List
Subject: [windbg] Windows 10 Kernel Symbols Not Available?

Hi,

I’m trying to analyze a Windows 10 Crash dump and I’m getting:

*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntkrnlmp.exe -

My symbols were working a couple of days ago. I noticed my Kernel was
recently updated to build 14393 and the kernel symbols haven’t been working
since. I don’t think it’s a problem with my symbol path, which is:
srvc:\symbolshttps://msdl.microsoft.com/download/symbols

When I reload with !sym noisy I get HTTP_STATUS_NOT_FOUND for ntkrnlmp.pdb.
Any ideas what’s wrong? Appreciate any help.


WINDBG is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:>

Not sure which settings menu you’re talking about but the meta info on my ntoskrnl.exe file shows File version 10.0.14393.447. Under “Original filename” it indicates it’s the ntkrnlmp.exe variant of the kernel. Here’s the noisy output for the kernel symbols:

1: kd> .reload
SYMSRV: BYINDEX: 0x11
c:\symbols*https://msdl.microsoft.com/download/symbols
ntkrnlmp.pdb
4DAC3B582A9147ECAED2644CB165222B1
SYMSRV: c:\symbols\ntkrnlmp.pdb\4DAC3B582A9147ECAED2644CB165222B1\ntkrnlmp.pdb - file not found
SYMSRV: HTTPGET: /download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/ntkrnlmp.pdb

SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/ntkrnlmp.pd_

SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/file.ptr

SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
SYMSRV: c:\symbols\ntkrnlmp.pdb\4DAC3B582A9147ECAED2644CB165222B1\ntkrnlmp.pdb not found
SYMSRV: https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/ntkrnlmp.pdb not found
DBGHELP: ntkrnlmp.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
DBGHELP: nt - export symbols
Loading Kernel Symbols

well i think he is talking about the setting app in windows 10 which
you can open by

hotkey winkey + i

or using cmd prompt and typing in start ms-settings

or using explorer context menu rightclick -on desktop select settings

or may be even with wmic

C:\>wmic os get BuildNumber
BuildNumber
7601

you also should be aware that there is a lot of problems with symbol
server for the past few months some times you get 404 for several
times and then you can download it magically

On 11/11/16, xxxxx@gmail.com wrote:
> Not sure which settings menu you’re talking about but the meta info on my
> ntoskrnl.exe file shows File version 10.0.14393.447. Under “Original
> filename” it indicates it’s the ntkrnlmp.exe variant of the kernel. Here’s
> the noisy output for the kernel symbols:
>
> 1: kd> .reload
> SYMSRV: BYINDEX: 0x11
> c:\symbols*https://msdl.microsoft.com/download/symbols
> ntkrnlmp.pdb
> 4DAC3B582A9147ECAED2644CB165222B1
> SYMSRV:
> c:\symbols\ntkrnlmp.pdb\4DAC3B582A9147ECAED2644CB165222B1\ntkrnlmp.pdb -
> file not found
> SYMSRV: HTTPGET:
> /download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/ntkrnlmp.pdb
>
> SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
> SYMSRV: HTTPGET:
> /download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/ntkrnlmp.pd_
>
> SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
> SYMSRV: HTTPGET:
> /download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/file.ptr
>
> SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
> SYMSRV:
> c:\symbols\ntkrnlmp.pdb\4DAC3B582A9147ECAED2644CB165222B1\ntkrnlmp.pdb not
> found
> SYMSRV:
> https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/ntkrnlmp.pdb
> not found
> DBGHELP: ntkrnlmp.pdb - file not found
> *** ERROR: Symbol file could not be found. Defaulted to export symbols for
> ntkrnlmp.exe -
> DBGHELP: nt - export symbols
> Loading Kernel Symbols
>
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:>

Ok thanks for the info. It was working great earlier this week until that update got installed. I’ve tried lots of times so I don’t think it’s just intermittent problems with reaching the server. I’m wondering if maybe they haven’t published the symbols yet…

@Ged, we’re definitely working on improving it.

@Jeffry, I’m following up on your issue right now, it looks like some of the symbols for that build failed to get indexed.

HAVING SAME ISSUE !!!

All was fine and dandy couple of days back. I was able to even use source indexed KMDF stuff. Now I get below.

My versions
OS:
Win10 Enterprise / Build 14393.rs1_release_inmarket.161102-0100 (at bottom right corner)
Edition: Win10 Enterprise Version: 1607, OS Build: 14393.447 (from winkey + i)

MS VS Enterprise 2015 - 14.0.25431.01 Update 3
SDK - 10.0.14393.0
WDK - 10.0.14393.33
Windbg - 10.0.14321.1024 AMD64

Who installs Windbg ? i.e. VS or SDK or WDK?
Thinking I have old Windbg, I tried installing Windbg separately from below link, but it doesn’t allow, asks me uninstall/reinstall SDK. Anyways even after doing that, the windbg version is same as above.
https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit

It would be better to list the version of Windbg included in a VS, SDK, WDK somewhere?

Also if I have to download symbol packages offline from below for my above OS, how do I figure out which ones to download, only few nodes there have a build number??
https://developer.microsoft.com/en-us/windows/hardware/download-symbols


************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\symbols*http://msdl.microsoft.com/download/symbols
1: kd> .reload /f nt
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
1: kd> !sym noisy
noisy mode - symbol prompts on
1: kd> .reload /f nt
SYMSRV: BYINDEX: 0x7
c:\symbols*http://msdl.microsoft.com/download/symbols
ntkrnlmp.pdb
4DAC3B582A9147ECAED2644CB165222B1
SYMSRV: c:\symbols\ntkrnlmp.pdb\4DAC3B582A9147ECAED2644CB165222B1\ntkrnlmp.pdb - file not found
SYMSRV: HTTPGET: /download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/ntkrnlmp.pdb

SYMSRV: HttpSendRequest: 12002 - ERROR_INTERNET_TIMEOUT
SYMSRV: c:\symbols\ntkrnlmp.pdb\4DAC3B582A9147ECAED2644CB165222B1\ntkrnlmp.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/4DAC3B582A9147ECAED2644CB165222B1/ntkrnlmp.pdb not found
DBGHELP: ntkrnlmp.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
DBGHELP: nt - export symbols

Hello everyone,

I am having exactly the same problem with ntkrnlmp symbols not working for Windows 10 1607 x64. This is been going on like this since Monday.

Anyone was able to resolve the problem? I am amazed that I never had such problems with symbols since 2k days and now this is going on like this for a week and it is not fixed …

We’re still working on getting symbols out for the KBs that were released in the past couple weeks.

I am o.k. now!

3: kd> lmDvmnt
Browse full module list
start end module name
fffff803ae21b000 fffff803aea3b000 nt (pdb symbols) c:_symbols\ntkrnlmp.pdb\4DAC3B582A9147ECAED2644CB165222B1\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Timestamp: Wed Nov 2 03:17:03 2016 (5819BD1F)
CheckSum: 0077E1C5
ImageSize: 00820000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

Indeed, it started to work well since today :slight_smile:

ntoskrnl is dowloading now.
Unfortunately Kernel32.dll is blocking normal operation now :frowning:
I hope Microsoft are continuing to index all symbols

Sometimes the user mode symbols don’t load because the PE header’s debug
directory is paged out. What does !sym noisy/.reload say when trying to load
symbols for kernel32.dll?

-scott
OSR
@OSRDrivers

“Ian Blake” wrote in message news:xxxxx@windbg…

ntoskrnl is dowloading now.
Unfortunately Kernel32.dll is blocking normal operation now :frowning:
I hope Microsoft are continuing to index all symbols

I’ve been getting all sorts of errors from the symbol server over the past
few months.
Not sure if it’s the same as the OP, but here’s my daily surprise error for
today

0:006> !sym noisy
noisy mode - symbol prompts on
0:006> .reload

SYMSRV: BYINDEX: 0x17
d:\symbols*https://msdl.microsoft.com/download/symbols
wntdll.pdb
DCCFF2D483FA4DEE81DC04552C73BB5E2
SYMSRV: d:\symbols\wntdll.pdb\DCCFF2D483FA4DEE81DC04552C73BB5E2\wntdll.pdb

  • file not found
    SYMSRV: HTTPGET:
    /download/symbols/wntdll.pdb/DCCFF2D483FA4DEE81DC04552C73BB5E2/wntdll.pdb
    SYMSRV: HttpQueryInfo: 502 - HTTP_STATUS_BAD_GATEWAY
    SYMSRV: d:\symbols\wntdll.pdb\DCCFF2D483FA4DEE81DC04552C73BB5E2\wntdll.pdb
    not found
    SYMSRV:
    https://msdl.microsoft.com/download/symbols/wntdll.pdb/DCCFF2D483FA4DEE81DC0
    4552C73BB5E2/wntdll.pdb not found
    DBGHELP: wntdll.pdb - file not found
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for
    ntdll.dll -
    DBGHELP: ntdll - export symbols
    SYMSRV: BYINDEX: 0x18
    d:\symbols*https://msdl.microsoft.com/download/symbols
    wkernel32.pdb
    820EEB5D68EF443ABBE61E837F814BE12
    SYMSRV:
    d:\symbols\wkernel32.pdb\820EEB5D68EF443ABBE61E837F814BE12\wkernel32.pdb -
    file not found
    SYMSRV: HTTPGET:
    /download/symbols/wkernel32.pdb/820EEB5D68EF443ABBE61E837F814BE12/wkernel32.
    pdb
    SYMSRV: HttpQueryInfo: 502 - HTTP_STATUS_BAD_GATEWAY
    SYMSRV:
    d:\symbols\wkernel32.pdb\820EEB5D68EF443ABBE61E837F814BE12\wkernel32.pdb not
    found
    SYMSRV:
    https://msdl.microsoft.com/download/symbols/wkernel32.pdb/820EEB5D68EF443ABB
    E61E837F814BE12/wkernel32.pdb not found
    DBGHELP: wkernel32.pdb - file not found
    *** WARNING: symbols timestamp is wrong 0x4dce203f 0x4ce7baf9 for
    kernel32.dll
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for
    kernel32.dll -
    DBGHELP: kernel32 - export symbols

************* Symbol Loading Error Summary **************
Module name Error
ntdll An extended error was returned from the WinHttp
server : srv*d:\symbols*https://msdl.microsoft.com/download/symbols
The .pdb file is probably no longer indexed
in the symbol server share location.
Please verify that you have access to the
symbol server from your location.

kernel32 An extended error was returned from the WinHttp
server : srv*d:\symbols*https://msdl.microsoft.com/download/symbols
The .pdb file is probably no longer indexed
in the symbol server share location.
Please verify that you have access to the
symbol server from your location.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: 23 November 2016 13:55
To: Kernel Debugging Interest List
Subject: Re:[windbg] Windows 10 Kernel Symbols Not Available?

Sometimes the user mode symbols don’t load because the PE header’s debug
directory is paged out. What does !sym noisy/.reload say when trying to load
symbols for kernel32.dll?

-scott
OSR
@OSRDrivers

“Ian Blake” wrote in message news:xxxxx@windbg…

ntoskrnl is dowloading now.
Unfortunately Kernel32.dll is blocking normal operation now :frowning: I hope
Microsoft are continuing to index all symbols


WINDBG is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:>