Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


symchk: Strange manifest file?

mblinovmblinov Member Posts: 19

Hi everyone,

So I have a situation where I need to transfer .PDB files over to an airgapped test machine. I found from here that you can use symchk /om to first create a manifest file, and then symchk /im to download the corresponding .PDB files.

However, it seems that whever I try to follow the following guide from OSR, I always get the following output:

C:\Users\Maxim\Documents\w10>symchk /om manifest.w10 /ie ntoskrnl.exe /s c:\users\Maxim\Documents\w10\empty
SYMCHK: ntoskrnl.exe         FAILED  - ntkrnlmp.pdb mismatched or not found
SYMCHK: hal.dll              FAILED  - hal.pdb mismatched or not found
SYMCHK: kd.dll               FAILED  - kd.pdb mismatched or not found
SYMCHK: mcupdate_AuthenticAMD.dll FAILED  - mcupdate_AuthenticAMD.pdb mismatched or not found
SYMCHK: msrpc.sys            FAILED  - msrpc.pdb mismatched or not found
SYMCHK: ksecdd.sys           FAILED  - ksecdd.pdb mismatched or not found
SYMCHK: werkernel.sys        FAILED  - WerKernel.pdb mismatched or not found
SYMCHK: clfs.sys             FAILED  - clfs.pdb mismatched or not found
SYMCHK: tm.sys               FAILED  - tm.pdb mismatched or not found
SYMCHK: PSHED.DLL            FAILED  - pshed.pdb mismatched or not found
...
SYMCHK: FAILED files = 195
SYMCHK: PASSED + IGNORED files = 0

The manifest looks like this:

C:\Users\Maxim\Documents\w10>type manifest.w10
ntoskrnl.exe,00,2
hal.dll,00,2
kd.dll,00,2
mcupdate_AuthenticAMD.dll,00,2
msrpc.sys,00,2
ksecdd.sys,00,2
werkernel.sys,00,2
clfs.sys,00,2
tm.sys,00,2
PSHED.DLL,00,2
...

Consequently when I try to then fetch the files, I get symchk complaining:

C:\Users\Maxim\Documents\w10>symchk /im manifest.w10 /s SRV*c:\users\Maxim\Documents\w10\empty*http://msdl.microsoft.com/download/symbols
SYMCHK: ntoskrnl.exe         ERROR - Unable to download file. Error reported was 2
SYMCHK: hal.dll              ERROR - Unable to download file. Error reported was 2
SYMCHK: kd.dll               ERROR - Unable to download file. Error reported was 2
SYMCHK: mcupdate_AuthenticAMD.dll ERROR - Unable to download file. Error reported was 2
SYMCHK: msrpc.sys            ERROR - Unable to download file. Error reported was 2
SYMCHK: ksecdd.sys           ERROR - Unable to download file. Error reported was 2
SYMCHK: werkernel.sys        ERROR - Unable to download file. Error reported was 2
SYMCHK: clfs.sys             ERROR - Unable to download file. Error reported was 2
SYMCHK: tm.sys               ERROR - Unable to download file. Error reported was 2
SYMCHK: PSHED.DLL            ERROR - Unable to download file. Error reported was 2
...

Could someone suggest as to what mistake I'm making? The zeroes in the manifest file look rather suspicious, because I tried with an older tool on Win XP, and evidently that's where the checksum is supposed to go.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,852

    If the machine is airgapped, how can it download the symbols from the manifest?

    If you have run windbg and loaded symbols on a networked machine, why not just copy the whole symbol directory over to a USB drive and transfer it to the airgapped machine?

    Tim Roberts, [email protected]
    Software Wizard Emeritus

  • mblinovmblinov Member Posts: 19
    edited June 2020

    @Tim_Roberts said:
    If the machine is airgapped, how can it download the symbols from the manifest?

    If you have run windbg and loaded symbols on a networked machine, why not just copy the whole symbol directory over to a USB drive and transfer it to the airgapped machine?

    Well, ive got three machines: A, B, and C. A is connected to network, B and C are not. Machine B is my development machine, on which I want to launch WinDbg... and attach to machine C, the test machine.

    I want to get PDBs that correspond to the binaries running on C, and then have them available to machine B so that I get sane view in WinDbg.

    So I want to retrieve a list of PDBs that correspond to the binaries running on C. I believe symchk does that by giving me a manifest. I then get that manifest onto machine A via USB stick, and fetch those exact PDBs. Then I copy them over to machine B for WinDbg.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,683

    I can reproduce this behavior and SymChk is definitely broken. If you turn on verbose logging it's coming up with a PDB signature value of zero and that's not helpful...Worst part is that it does get the value correctly earlier in the output, but when it outputs the summary it shows zero.

    The bug appears to be in symbolcheck.dll. In the name of science I grabbed a much older copy of that DLL from the Win7 SP1 WDK and replaced the one in the latest installation. Now when I run the command line I get proper manifest output. For example:

    ntkrnlmp.pdb,0A0AB369CCAF2C2B44D37A82A8E6C16D1,1
    ntoskrnl.exe,4ff75719ab7000,1
    hal.pdb,F3383972E53BCF4212FB0F57D47870AF1,1
    hal.dll,5c190592a4000,1
    

    That might be a temporary workaround until this is fixed.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 9-13 Sept 2024 Live, Online
Developing Minifilters 15-19 July 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online