Can't resolve symbols for user-mode modules in a full kernel memory crash dump

wc2023 · January 29, 2024, 10:32pm

I’m trying to analyze a full memory kernel crash dump. When I check the stack with the k command (or knL) I get user mode portion of the stack without any symbols - see bottom 2 lines:

kd> knL
  *** Stack trace for last set context - .thread/.cxr resets it
# Child-SP          RetAddr               Call Site
00 (Inline Function) --------`--------     nt!RtlFailFast+0x4
01 (Inline Function) --------`--------     nt!FatalListEntryError+0x4
02 (Inline Function) --------`--------     nt!InsertHeadList+0x9c
03 ffffdb07`68450830 fffff800`378396ec     nt!MiManageSubsectionView+0x128
04 ffffdb07`68450880 fffff800`375fde0c     nt!MiDeleteVad+0x4a4
...........
10 ffffdb07`68450bd0 fffff800`374a06a0     win32k!NtDCompositionSynchronize+0x44
11 ffffdb07`68450bf0 fffff800`374a02a4     nt!KiSystemServiceCopyEnd+0x38
12 ffffdb07`68450c60 00007fff`ed8583d4     nt!KiSystemServiceExit
13 00000000`045be2a0 00007fff`e8056064     0x00007fff`ed8583d4
14 00000000`045be2a0 00000000`00000000     0x00007fff`e8056064

By experience, I know that there should be ntdll.dll. so when I do:

.reload /f ntdll.dll

I get:
Unable to load image C:\windows\SYSTEM32\ntdll.dll, Win32 error code 0x2

which means, file not found.

What am I doing wrong there?

Scott_Noone_OSR · January 30, 2024, 5:27pm

User mode stuff can be paged out even in a full memory dump so it’s not always possible.

What does !sym noisy/.reload say?

wc2023 · January 30, 2024, 6:54pm

For ntdll.dll pretty much “path not found” for all search locations. and then “mismatched timestamp” and “image header does not match memory image header” for C:\Windows\System32\ntdll.dll

Scott_Noone_OSR · January 31, 2024, 5:58pm

If you have the ntdll.dll from the target system you can try copying it to the host and pointing your executable path to it. Or try getting it from the symbol server: .exepath srv* ; .reload