Hello all,
I’d like to take snapshots of memory (.dump ?) and then do a
comparison of the dumps to determine which virtual address locations
have changed (or stayed the same). Does windbg provide this
functionality ?
Thanks,
J
What do you mean by ‘virtual addresses,’ as in ‘which ones?’ Do you mean
something like, say, whether the system process gets mapped the same way?
Or whether physical addresses end up as the same virtual addresses for some
subset?
I’m not sure what you mean.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Wednesday, September 08, 2010 8:58 PM
To: Kernel Debugging Interest List
Subject: [windbg] Comparing memory dumps?
Hello all,
I’d like to take snapshots of memory (.dump ?) and then do a comparison of
the dumps to determine which virtual address locations have changed (or
stayed the same). Does windbg provide this functionality ?
Thanks,
J
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Thanks for the reply. I am sorry, let me elaborate a bit more. I
would like to take snapshots of everything in memory (all the data).
With these “snapshots”, I would like to then determine which parts of
memory have changed (or have not changed) between each snapshot. I am
not sure if this is supported by windbg, but this is the functionality
I am trying to get 
If there are other tools that will provide me
this functionality, feel free to suggest them.
Thanks.
On Wed, Sep 8, 2010 at 6:42 PM, M. M. O’Brien
wrote:
> What do you mean by ‘virtual addresses,’ as in ‘which ones?’ ?Do you mean
> something like, say, whether the system process gets mapped the same way?
> Or whether physical addresses end up as the same virtual addresses for some
> subset?
>
> I’m not sure what you mean.
>
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
> Sent: Wednesday, September 08, 2010 8:58 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] Comparing memory dumps?
>
> Hello all,
>
> I’d like to take snapshots of memory (.dump ?) and then do a comparison of
> the dumps to determine which virtual address locations have changed (or
> stayed the same). ?Does windbg provide this functionality ?
>
> Thanks,
> J
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
OK. That’s makes sense.
There are other tools that do this, but everyone that I’ve seen has serious
flaws, usually that they can’t ensure a consistent snapshot.
From windbg, you can either create a dump file via ‘.dump /f,’ though that
will require stripping out the header; or you can use ‘.writemem,’ which
will write just the raw memory, but you’ll have to use the EXTENDED RANGE
SYNTAX to override the default limits (see .writemem) and I don’t really
know how well it will work over the range of all memory.
Or you can write a windbg extension, which is actually pretty easy (see the
EngExtCpp framework in the windbg docs) and given what else you’re trying to
do might be a good way to go.
There are probably others, but these are the ones that I can think of off
the top of my head.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Thursday, September 09, 2010 9:59 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
Thanks for the reply. I am sorry, let me elaborate a bit more. I would
like to take snapshots of everything in memory (all the data).
With these “snapshots”, I would like to then determine which parts of memory
have changed (or have not changed) between each snapshot. I am not sure if
this is supported by windbg, but this is the functionality I am trying to
get If there are other tools that will provide me this functionality,
feel free to suggest them.
Thanks.
On Wed, Sep 8, 2010 at 6:42 PM, M. M. O’Brien
wrote:
> What do you mean by ‘virtual addresses,’ as in ‘which ones?’ ?Do you
> mean something like, say, whether the system process gets mapped the same
way?
> Or whether physical addresses end up as the same virtual addresses for
> some subset?
>
> I’m not sure what you mean.
>
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
> Sent: Wednesday, September 08, 2010 8:58 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] Comparing memory dumps?
>
> Hello all,
>
> I’d like to take snapshots of memory (.dump ?) and then do a
> comparison of the dumps to determine which virtual address locations
> have changed (or stayed the same). ?Does windbg provide this functionality
?
>
> Thanks,
> J
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Do you want to do this while debugging an application or for a kernel debug
session? The utility of it for kernel debug might be suspect just due to the
amount of information you’d need to deal with (IOW, the diff might be so
large that you can’t make any sense of it).
There isn’t anything built in that I’m aware of. My first guess at a decent
implementation would be to look into doing this with WinDBG for dump
generation and a DbgEng based application for comparing (see the dumpstk
sample in the WinDBG SDK).
I’d generate the dmp files from within WinDBG (.dump command) then open both
dumps in the application and start comparing by reading VAs from both. It’s
not the most integrated solution, but it’s relatively straightforward to
implement for something you’re just going to use for debugging purposes.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Jonathon” wrote in message news:xxxxx@windbg…
> Thanks for the reply. I am sorry, let me elaborate a bit more. I
> would like to take snapshots of everything in memory (all the data).
> With these “snapshots”, I would like to then determine which parts of
> memory have changed (or have not changed) between each snapshot. I am
> not sure if this is supported by windbg, but this is the functionality
> I am trying to get If there are other tools that will provide me
> this functionality, feel free to suggest them.
>
> Thanks.
>
> On Wed, Sep 8, 2010 at 6:42 PM, M. M. O’Brien
> wrote:
>> What do you mean by ‘virtual addresses,’ as in ‘which ones?’ Do you mean
>> something like, say, whether the system process gets mapped the same way?
>> Or whether physical addresses end up as the same virtual addresses for
>> some
>> subset?
>>
>> I’m not sure what you mean.
>>
>>
>> mm
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
>> Sent: Wednesday, September 08, 2010 8:58 PM
>> To: Kernel Debugging Interest List
>> Subject: [windbg] Comparing memory dumps?
>>
>> Hello all,
>>
>> I’d like to take snapshots of memory (.dump ?) and then do a comparison
>> of
>> the dumps to determine which virtual address locations have changed (or
>> stayed the same). Does windbg provide this functionality ?
>>
>> Thanks,
>> J
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
side question about doing memory comparing…
Would he want to put as much RAM in his machine (3.3 GB for 32 bit) and turn off the paging file to make sure nothing is paged out to get a more accurate comparison?
Just curious…
Paul
----- Original Message -----
From: “M. M. O’Brien”
To: “Kernel Debugging Interest List”
Sent: Thursday, September 9, 2010 10:20:10 AM
Subject: RE: [windbg] Comparing memory dumps?
OK. That’s makes sense.
There are other tools that do this, but everyone that I’ve seen has serious
flaws, usually that they can’t ensure a consistent snapshot.
From windbg, you can either create a dump file via ‘.dump /f,’ though that
will require stripping out the header; or you can use ‘.writemem,’ which
will write just the raw memory, but you’ll have to use the EXTENDED RANGE
SYNTAX to override the default limits (see .writemem) and I don’t really
know how well it will work over the range of all memory.
Or you can write a windbg extension, which is actually pretty easy (see the
EngExtCpp framework in the windbg docs) and given what else you’re trying to
do might be a good way to go.
There are probably others, but these are the ones that I can think of off
the top of my head.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Thursday, September 09, 2010 9:59 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
Thanks for the reply. I am sorry, let me elaborate a bit more. I would
like to take snapshots of everything in memory (all the data).
With these “snapshots”, I would like to then determine which parts of memory
have changed (or have not changed) between each snapshot. I am not sure if
this is supported by windbg, but this is the functionality I am trying to
get If there are other tools that will provide me this functionality,
feel free to suggest them.
Thanks.
On Wed, Sep 8, 2010 at 6:42 PM, M. M. O’Brien
wrote:
> What do you mean by ‘virtual addresses,’ as in ‘which ones?’ Do you
> mean something like, say, whether the system process gets mapped the same
way?
> Or whether physical addresses end up as the same virtual addresses for
> some subset?
>
> I’m not sure what you mean.
>
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
> Sent: Wednesday, September 08, 2010 8:58 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] Comparing memory dumps?
>
> Hello all,
>
> I’d like to take snapshots of memory (.dump ?) and then do a
> comparison of the dumps to determine which virtual address locations
> have changed (or stayed the same). Does windbg provide this functionality
?
>
> Thanks,
> J
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I would use as little physical memory as possible, because these dumps take a long time to create/compare.
mm
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Paul Sanders
Sent: Thursday, September 09, 2010 10:50 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
side question about doing memory comparing…
Would he want to put as much RAM in his machine (3.3 GB for 32 bit) and turn off the paging file to make sure nothing is paged out to get a more accurate comparison?
Just curious…
Paul
----- Original Message -----
From: “M. M. O’Brien”
To: “Kernel Debugging Interest List”
Sent: Thursday, September 9, 2010 10:20:10 AM
Subject: RE: [windbg] Comparing memory dumps?
OK. That’s makes sense.
There are other tools that do this, but everyone that I’ve seen has serious flaws, usually that they can’t ensure a consistent snapshot.
From windbg, you can either create a dump file via ‘.dump /f,’ though that will require stripping out the header; or you can use ‘.writemem,’ which will write just the raw memory, but you’ll have to use the EXTENDED RANGE SYNTAX to override the default limits (see .writemem) and I don’t really know how well it will work over the range of all memory.
Or you can write a windbg extension, which is actually pretty easy (see the EngExtCpp framework in the windbg docs) and given what else you’re trying to do might be a good way to go.
There are probably others, but these are the ones that I can think of off the top of my head.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Thursday, September 09, 2010 9:59 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
Thanks for the reply. I am sorry, let me elaborate a bit more. I would like to take snapshots of everything in memory (all the data).
With these “snapshots”, I would like to then determine which parts of memory have changed (or have not changed) between each snapshot. I am not sure if this is supported by windbg, but this is the functionality I am trying to get If there are other tools that will provide me this functionality, feel free to suggest them.
Thanks.
On Wed, Sep 8, 2010 at 6:42 PM, M. M. O’Brien wrote:
> What do you mean by ‘virtual addresses,’ as in ‘which ones?’ Do you
> mean something like, say, whether the system process gets mapped the
> same
way?
> Or whether physical addresses end up as the same virtual addresses for
> some subset?
>
> I’m not sure what you mean.
>
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
> Sent: Wednesday, September 08, 2010 8:58 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] Comparing memory dumps?
>
> Hello all,
>
> I’d like to take snapshots of memory (.dump ?) and then do a
> comparison of the dumps to determine which virtual address locations
> have changed (or stayed the same). Does windbg provide this
> functionality
?
>
> Thanks,
> J
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Jonathon wrote:
Thanks for the reply. I am sorry, let me elaborate a bit more. I
would like to take snapshots of everything in memory (all the data).
With these “snapshots”, I would like to then determine which parts of
memory have changed (or have not changed) between each snapshot. I am
not sure if this is supported by windbg, but this is the functionality
I am trying to get
this functionality, feel free to suggest them.
Are you trying to do this for a single process? That should be
achievable. What you’re asking is not practical for the entire system,
because physical memory is so incredibly dynamic. Pages come and go at
incredible speed.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
This was my point…
----- Original Message -----
From: “Tim Roberts”
To: “Kernel Debugging Interest List”
Sent: Thursday, September 9, 2010 12:55:28 PM
Subject: Re: [windbg] Comparing memory dumps?
Jonathon wrote:
> Thanks for the reply. I am sorry, let me elaborate a bit more. I
> would like to take snapshots of everything in memory (all the data).
> With these “snapshots”, I would like to then determine which parts of
> memory have changed (or have not changed) between each snapshot. I am
> not sure if this is supported by windbg, but this is the functionality
> I am trying to get If there are other tools that will provide me
> this functionality, feel free to suggest them.
Are you trying to do this for a single process? That should be
achievable. What you’re asking is not practical for the entire system,
because physical memory is so incredibly dynamic. Pages come and go at
incredible speed.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Thanks guys. Yeah, I am trying to do this for a single process. I
think the “.writemem” function will prove very useful. Is there a way
to dump all writable pages? The pages I am looking for are data pages
which should limit the amount of data I need to dump.
On Thu, Sep 9, 2010 at 10:43 AM, Paul Sanders wrote:
> This was my point…
> ----- Original Message -----
> From: “Tim Roberts”
> To: “Kernel Debugging Interest List”
> Sent: Thursday, September 9, 2010 12:55:28 PM
> Subject: Re: [windbg] Comparing memory dumps?
>
> ?Jonathon wrote:
>> Thanks for the reply. ?I am sorry, let me elaborate a bit more. ?I
>> would like to take snapshots of everything in memory (all the data).
>> With these “snapshots”, I would like to then determine which parts of
>> memory have changed (or have not changed) between each snapshot. ?I am
>> not sure if this is supported by windbg, but this is the functionality
>> I am trying to get ?If there are other tools that will provide me
>> this functionality, feel free to suggest them.
>
> Are you trying to do this for a single process? ?That should be
> achievable. ?What you’re asking is not practical for the entire system,
> because physical memory is so incredibly dynamic. ?Pages come and go at
> incredible speed.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
You could do this in an extension/extension application using
IDebugDataSpaces2::QueryVirtual() and look for something like
PAGE_EXECUTE_READWRITE | PAGE_READWRITE.
That being said, I’m not really sure how useful this will be as I don’t see
how you’ll be able to compare one set to another unless the mappings are the
same, which seems unlikely, or unless you have some type/symbol information
and plan to sort the mappings out.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Thursday, September 09, 2010 2:00 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
Thanks guys. Yeah, I am trying to do this for a single process. I think
the “.writemem” function will prove very useful. Is there a way to dump all
writable pages? The pages I am looking for are data pages which should
limit the amount of data I need to dump.
On Thu, Sep 9, 2010 at 10:43 AM, Paul Sanders
wrote:
> This was my point…
> ----- Original Message -----
> From: “Tim Roberts”
> To: “Kernel Debugging Interest List”
> Sent: Thursday, September 9, 2010 12:55:28 PM
> Subject: Re: [windbg] Comparing memory dumps?
>
> ?Jonathon wrote:
>> Thanks for the reply. ?I am sorry, let me elaborate a bit more. ?I
>> would like to take snapshots of everything in memory (all the data).
>> With these “snapshots”, I would like to then determine which parts of
>> memory have changed (or have not changed) between each snapshot. ?I
>> am not sure if this is supported by windbg, but this is the
>> functionality I am trying to get ?If there are other tools that
>> will provide me this functionality, feel free to suggest them.
>
> Are you trying to do this for a single process? ?That should be
> achievable. ?What you’re asking is not practical for the entire
> system, because physical memory is so incredibly dynamic. ?Pages come
> and go at incredible speed.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Also, you have to address the issue of memory being paged out.
Good luck,
mm
-----Original Message-----
From: M. M. O’Brien [mailto:xxxxx@gmail.com]
Sent: Thursday, September 09, 2010 2:07 PM
To: ‘Kernel Debugging Interest List’
Subject: RE: [windbg] Comparing memory dumps?
You could do this in an extension/extension application using
IDebugDataSpaces2::QueryVirtual() and look for something like
PAGE_EXECUTE_READWRITE | PAGE_READWRITE.
That being said, I’m not really sure how useful this will be as I don’t see
how you’ll be able to compare one set to another unless the mappings are the
same, which seems unlikely, or unless you have some type/symbol information
and plan to sort the mappings out.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Thursday, September 09, 2010 2:00 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
Thanks guys. Yeah, I am trying to do this for a single process. I think
the “.writemem” function will prove very useful. Is there a way to dump all
writable pages? The pages I am looking for are data pages which should
limit the amount of data I need to dump.
On Thu, Sep 9, 2010 at 10:43 AM, Paul Sanders
wrote:
> This was my point…
> ----- Original Message -----
> From: “Tim Roberts”
> To: “Kernel Debugging Interest List”
> Sent: Thursday, September 9, 2010 12:55:28 PM
> Subject: Re: [windbg] Comparing memory dumps?
>
> ?Jonathon wrote:
>> Thanks for the reply. ?I am sorry, let me elaborate a bit more. ?I
>> would like to take snapshots of everything in memory (all the data).
>> With these “snapshots”, I would like to then determine which parts of
>> memory have changed (or have not changed) between each snapshot. ?I
>> am not sure if this is supported by windbg, but this is the
>> functionality I am trying to get ?If there are other tools that
>> will provide me this functionality, feel free to suggest them.
>
> Are you trying to do this for a single process? ?That should be
> achievable. ?What you’re asking is not practical for the entire
> system, because physical memory is so incredibly dynamic. ?Pages come
> and go at incredible speed.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
This is where turning off paging on his test machine would help.
Paul
----- Original Message -----
From: “M. M. O’Brien”
To: “Kernel Debugging Interest List”
Sent: Thursday, September 9, 2010 2:13:07 PM
Subject: RE: [windbg] Comparing memory dumps?
Also, you have to address the issue of memory being paged out.
Good luck,
mm
-----Original Message-----
From: M. M. O’Brien [mailto:xxxxx@gmail.com]
Sent: Thursday, September 09, 2010 2:07 PM
To: ‘Kernel Debugging Interest List’
Subject: RE: [windbg] Comparing memory dumps?
You could do this in an extension/extension application using
IDebugDataSpaces2::QueryVirtual() and look for something like
PAGE_EXECUTE_READWRITE | PAGE_READWRITE.
That being said, I’m not really sure how useful this will be as I don’t see
how you’ll be able to compare one set to another unless the mappings are the
same, which seems unlikely, or unless you have some type/symbol information
and plan to sort the mappings out.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Thursday, September 09, 2010 2:00 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
Thanks guys. Yeah, I am trying to do this for a single process. I think
the “.writemem” function will prove very useful. Is there a way to dump all
writable pages? The pages I am looking for are data pages which should
limit the amount of data I need to dump.
On Thu, Sep 9, 2010 at 10:43 AM, Paul Sanders
wrote:
> This was my point…
> ----- Original Message -----
> From: “Tim Roberts”
> To: “Kernel Debugging Interest List”
> Sent: Thursday, September 9, 2010 12:55:28 PM
> Subject: Re: [windbg] Comparing memory dumps?
>
> Jonathon wrote:
>> Thanks for the reply. I am sorry, let me elaborate a bit more. I
>> would like to take snapshots of everything in memory (all the data).
>> With these “snapshots”, I would like to then determine which parts of
>> memory have changed (or have not changed) between each snapshot. I
>> am not sure if this is supported by windbg, but this is the
>> functionality I am trying to get If there are other tools that
>> will provide me this functionality, feel free to suggest them.
>
> Are you trying to do this for a single process? That should be
> achievable. What you’re asking is not practical for the entire
> system, because physical memory is so incredibly dynamic. Pages come
> and go at incredible speed.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
SDbgExt (http://www.nynaeve.net/?p=7) provides an extension command (!cmpmem) to support this. However, you need to tell it which memory regions to snapshot and which to compare manually. As others have suggested, using that facility over the entire address space as a whole is not likely to be a fruitful endeavor due to the volume of changes.
- S
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Thursday, September 09, 2010 6:59 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
Thanks for the reply. I am sorry, let me elaborate a bit more. I would like to take snapshots of everything in memory (all the data).
With these “snapshots”, I would like to then determine which parts of memory have changed (or have not changed) between each snapshot. I am not sure if this is supported by windbg, but this is the functionality I am trying to get If there are other tools that will provide me this functionality, feel free to suggest them.
Thanks.
On Wed, Sep 8, 2010 at 6:42 PM, M. M. O’Brien wrote:
> What do you mean by ‘virtual addresses,’ as in ‘which ones?’ ?Do you
> mean something like, say, whether the system process gets mapped the same way?
> Or whether physical addresses end up as the same virtual addresses for
> some subset?
>
> I’m not sure what you mean.
>
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
> Sent: Wednesday, September 08, 2010 8:58 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] Comparing memory dumps?
>
> Hello all,
>
> I’d like to take snapshots of memory (.dump ?) and then do a
> comparison of the dumps to determine which virtual address locations
> have changed (or stayed the same). ?Does windbg provide this functionality ?
>
> Thanks,
> J
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sorry, I wasn’t clear, but I don’t think that what you’re proposing is really a solution either.
What I meant is that the address space is not going to be a continuous block of committed memory that he could just write with a single ‘.writemem’ command; there will be holes that have nothing to do with things being paged out and there will of course be memory that is allocated from the paged pool which you shouldn’t assume will be present no matter what the particular configuration of the machine. He’s dealing with virtual addresses/vad’s, not physical pages. That is, they may be in physical memory somewhere, but that doesn’t mean that they are necessarily mapped to the process address space in the same place.
mm
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Paul Sanders
Sent: Thursday, September 09, 2010 2:27 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
This is where turning off paging on his test machine would help.
Paul
----- Original Message -----
From: “M. M. O’Brien”
To: “Kernel Debugging Interest List”
Sent: Thursday, September 9, 2010 2:13:07 PM
Subject: RE: [windbg] Comparing memory dumps?
Also, you have to address the issue of memory being paged out.
Good luck,
mm
-----Original Message-----
From: M. M. O’Brien [mailto:xxxxx@gmail.com]
Sent: Thursday, September 09, 2010 2:07 PM
To: ‘Kernel Debugging Interest List’
Subject: RE: [windbg] Comparing memory dumps?
You could do this in an extension/extension application using
IDebugDataSpaces2::QueryVirtual() and look for something like PAGE_EXECUTE_READWRITE | PAGE_READWRITE.
That being said, I’m not really sure how useful this will be as I don’t see how you’ll be able to compare one set to another unless the mappings are the same, which seems unlikely, or unless you have some type/symbol information and plan to sort the mappings out.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Thursday, September 09, 2010 2:00 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
Thanks guys. Yeah, I am trying to do this for a single process. I think the “.writemem” function will prove very useful. Is there a way to dump all writable pages? The pages I am looking for are data pages which should limit the amount of data I need to dump.
On Thu, Sep 9, 2010 at 10:43 AM, Paul Sanders
wrote:
> This was my point…
> ----- Original Message -----
> From: “Tim Roberts”
> To: “Kernel Debugging Interest List”
> Sent: Thursday, September 9, 2010 12:55:28 PM
> Subject: Re: [windbg] Comparing memory dumps?
>
> Jonathon wrote:
>> Thanks for the reply. I am sorry, let me elaborate a bit more. I
>> would like to take snapshots of everything in memory (all the data).
>> With these “snapshots”, I would like to then determine which parts of
>> memory have changed (or have not changed) between each snapshot. I
>> am not sure if this is supported by windbg, but this is the
>> functionality I am trying to get If there are other tools that
>> will provide me this functionality, feel free to suggest them.
>
> Are you trying to do this for a single process? That should be
> achievable. What you’re asking is not practical for the entire
> system, because physical memory is so incredibly dynamic. Pages come
> and go at incredible speed.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I agree it is going to be difficult. I was just thinking that eliminating paging gets rid of one of his many problems he will face.
Some of the posts from left field I ignore, but this one intrigued me for some reason.
Paul
----- Original Message -----
From: “M. M. O’Brien”
To: “Kernel Debugging Interest List”
Sent: Thursday, September 9, 2010 2:44:16 PM
Subject: RE: [windbg] Comparing memory dumps?
Sorry, I wasn’t clear, but I don’t think that what you’re proposing is really a solution either.
What I meant is that the address space is not going to be a continuous block of committed memory that he could just write with a single ‘.writemem’ command; there will be holes that have nothing to do with things being paged out and there will of course be memory that is allocated from the paged pool which you shouldn’t assume will be present no matter what the particular configuration of the machine. He’s dealing with virtual addresses/vad’s, not physical pages. That is, they may be in physical memory somewhere, but that doesn’t mean that they are necessarily mapped to the process address space in the same place.
mm
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Paul Sanders
Sent: Thursday, September 09, 2010 2:27 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
This is where turning off paging on his test machine would help.
Paul
----- Original Message -----
From: “M. M. O’Brien”
To: “Kernel Debugging Interest List”
Sent: Thursday, September 9, 2010 2:13:07 PM
Subject: RE: [windbg] Comparing memory dumps?
Also, you have to address the issue of memory being paged out.
Good luck,
mm
-----Original Message-----
From: M. M. O’Brien [mailto:xxxxx@gmail.com]
Sent: Thursday, September 09, 2010 2:07 PM
To: ‘Kernel Debugging Interest List’
Subject: RE: [windbg] Comparing memory dumps?
You could do this in an extension/extension application using
IDebugDataSpaces2::QueryVirtual() and look for something like PAGE_EXECUTE_READWRITE | PAGE_READWRITE.
That being said, I’m not really sure how useful this will be as I don’t see how you’ll be able to compare one set to another unless the mappings are the same, which seems unlikely, or unless you have some type/symbol information and plan to sort the mappings out.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jonathon
Sent: Thursday, September 09, 2010 2:00 PM
To: Kernel Debugging Interest List
Subject: Re: [windbg] Comparing memory dumps?
Thanks guys. Yeah, I am trying to do this for a single process. I think the “.writemem” function will prove very useful. Is there a way to dump all writable pages? The pages I am looking for are data pages which should limit the amount of data I need to dump.
On Thu, Sep 9, 2010 at 10:43 AM, Paul Sanders
wrote:
> This was my point…
> ----- Original Message -----
> From: “Tim Roberts”
> To: “Kernel Debugging Interest List”
> Sent: Thursday, September 9, 2010 12:55:28 PM
> Subject: Re: [windbg] Comparing memory dumps?
>
> Jonathon wrote:
>> Thanks for the reply. I am sorry, let me elaborate a bit more. I
>> would like to take snapshots of everything in memory (all the data).
>> With these “snapshots”, I would like to then determine which parts of
>> memory have changed (or have not changed) between each snapshot. I
>> am not sure if this is supported by windbg, but this is the
>> functionality I am trying to get If there are other tools that
>> will provide me this functionality, feel free to suggest them.
>
> Are you trying to do this for a single process? That should be
> achievable. What you’re asking is not practical for the entire
> system, because physical memory is so incredibly dynamic. Pages come
> and go at incredible speed.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
M. M. O’Brien wrote:
Also, you have to address the issue of memory being paged out.
I don’t think that’s an issue here. He’s talking about user mode
dumping. He’s write the virtual address space. It will be paged in if
needed. Right?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
From: “M. M. O’Brien”
>What I meant is that the address space is not going to be a continuous
>block of committed memory that he could just write >with a single
>‘.writemem’ command; there will be holes that have nothing to do with
>things being paged out
And the problem with .writemem is that it doesn’t skip regions that it can’t
read, it just bails. So you’d have to walk the VAD and make up .writemem
commands for the potentially valid ranges…Much less work to just call
IDebugDataSpaces::ReadVirtual from DbgEng.
“Tim Roberts” wrote in message news:xxxxx@windbg…
> I don’t think that’s an issue here. He’s talking about user mode
> dumping. He’s write the virtual address space. It will be paged in if
> needed. Right?
We’ve been talking about doing a dump from a debugger, I’m not sure that the
user mode debugger will just automatically page data in as it’s sucking it
over (I wouldn’t think so). Anyone know for sure?
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
Exactly.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Thursday, September 09, 2010 3:51 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] Comparing memory dumps?
From: “M. M. O’Brien”
>What I meant is that the address space is not going to be a continuous
>block of committed memory that he could just write >with a single
>‘.writemem’ command; there will be holes that have nothing to do with
>things being paged out
And the problem with .writemem is that it doesn’t skip regions that it can’t
read, it just bails. So you’d have to walk the VAD and make up .writemem
commands for the potentially valid ranges…Much less work to just call
IDebugDataSpaces::ReadVirtual from DbgEng.
“Tim Roberts” wrote in message news:xxxxx@windbg…
> I don’t think that’s an issue here. He’s talking about user mode
> dumping. He’s write the virtual address space. It will be paged in
> if needed. Right?
We’ve been talking about doing a dump from a debugger, I’m not sure that the
user mode debugger will just automatically page data in as it’s sucking it
over (I wouldn’t think so). Anyone know for sure?
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
—
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
User mode debugger will call ReadProcessMemory which will page the memory in if it’s paged out.
Thanks,
Pavel
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Thursday, September 09, 2010 12:51 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] Comparing memory dumps?
We’ve been talking about doing a dump from a debugger, I’m not sure that the user mode debugger will just automatically page data in as it’s sucking it over (I wouldn’t think so). Anyone know for sure?