I’m trying to analyze a full memory kernel crash dump. When I check the stack with the k command (or knL) I get user mode portion of the stack without any symbols - see bottom 2 lines:
kd> knL
*** Stack trace for last set context - .thread/.cxr resets it
# Child-SP RetAddr Call Site
00 (Inline Function) --------`-------- nt!RtlFailFast+0x4
01 (Inline Function) --------`-------- nt!FatalListEntryError+0x4
02 (Inline Function) --------`-------- nt!InsertHeadList+0x9c
03 ffffdb07`68450830 fffff800`378396ec nt!MiManageSubsectionView+0x128
04 ffffdb07`68450880 fffff800`375fde0c nt!MiDeleteVad+0x4a4
...........
10 ffffdb07`68450bd0 fffff800`374a06a0 win32k!NtDCompositionSynchronize+0x44
11 ffffdb07`68450bf0 fffff800`374a02a4 nt!KiSystemServiceCopyEnd+0x38
12 ffffdb07`68450c60 00007fff`ed8583d4 nt!KiSystemServiceExit
13 00000000`045be2a0 00007fff`e8056064 0x00007fff`ed8583d4
14 00000000`045be2a0 00000000`00000000 0x00007fff`e8056064
By experience, I know that there should be ntdll.dll. so when I do:
.reload /f ntdll.dll
I get:
Unable to load image C:\windows\SYSTEM32\ntdll.dll, Win32 error code 0x2
which means, file not found.
What am I doing wrong there?