Re: about flags for !error command

Hi raj_r,

Here is what I get from Windbg help document about !error command. For the Flags parameter which you use as 1, I can not find a full list of all supported numbers. Do you know where to find such a list?

Here is my whole Windbg help document information.

Debugging Tools for Windows
!error
The !error extension decodes and displays information about an error value.

Syntax
!error Value [Flags]

Parameters
Value
Specifies one of the following error codes:
Win32
Winsock
NTSTATUS
NetAPI
Flags
If Flags is set to 1, the error code is read as an NTSTATUS code.

DLL
Windows NT 4.0 Ext.dll?
Windows 2000 Ext.dll
Windows XP and later Ext.dll?

Comments
The following example shows you how to use !error.
0:000> !error 2
Error code: (Win32) 0x2 (2) - The system cannot find the file specified.
0:000> !error 2 1
Error code: (NTSTATUS) 0x2 - STATUS_WAIT_2

regards,
George

----- Original Message ----
From: raj_r
To: Kernel Debugging Interest List
Sent: Tuesday, October 7, 2008 1:58:02 AM
Subject: Re: [windbg] source code window is not displayed

On 10/6/08, Lin George wrote:
> Hi Skywing.
>
> 3. From my output, there is only one break point, but I do not know why it breaks twice, any ideas?
>
> More details, I donot know why breaks here,

0:000> !error 0x4000001f 1
Error code: (NTSTATUS) 0x4000001f - Exception status code used by
Win32 x86 emulation subsystem.

---
You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

On 10/7/08, Lin George wrote:
> Hi raj_r,
>
> NetAPI
> Flags
> If Flags is set to 1, the error code is read as an NTSTATUS code.

there are no other flasgs if i remember correctly

try disassembling ext!FormatAnyStatus function

if my memory serves me right i beleive it checks for 0 and if it is
not 0 it directly jumps to ntdll! and uses RtlFindMessage Function to
check the rsrc section for
the message

Thanks raj_r,

Could you suggest the best practices from your experience? Never use any flag and let !error automatically find?

regards,
George

----- Original Message ----
From: raj_r
To: Lin George
Cc: Kernel Debugging Interest List
Sent: Thursday, October 9, 2008 5:06:26 AM
Subject: Re: [windbg] about flags for !error command

On 10/7/08, Lin George wrote:
> Hi raj_r,
>
> NetAPI
> Flags
> If Flags is set to 1, the error code is read as an NTSTATUS code.

there are no other flasgs if i remember correctly

try disassembling ext!FormatAnyStatus? function

if my memory serves me right i beleive it checks for 0 and if it is
not 0 it directly jumps to ntdll! and uses RtlFindMessage Function to
check the rsrc section for
the message

On 10/9/08, Lin George wrote:
> Thanks raj_r,
>
>
> Could you suggest the best practices from your experience? Never use any flag and let !error automatically find?

well not much i usually try to pass all kinds of stuff to all kinds of
functions and try to find out where it does something which it isnt
expected to do

lkd> r $t0 = 0
lkd> ? $t0
Evaluate expression: 0 = 00000000
lkd> ? $t1
Evaluate expression: 1 = 00000001
lkd> .for ($t0 = 0; $t0 < 100 ;r $t0 = $t0 + $t1) { !error $t0 $t0 }
Error code: (Win32) 0 (0) - The operation completed successfully.
Error code: (NTSTATUS) 0x1 - STATUS_WAIT_1
Error code: (NTSTATUS) 0x2 - STATUS_WAIT_2
Error code: (NTSTATUS) 0x3 - STATUS_WAIT_3
Error code: (NTSTATUS) 0x4 - The system cannot open the file.
Error code: (NTSTATUS) 0x5 - Access is denied.
Error code: (NTSTATUS) 0x6 - The handle is invalid.
Error code: (NTSTATUS) 0x7 - The storage control blocks were destroyed.
Error code: (NTSTATUS) 0x8 - Not enough storage is available to
process this command.
Error code: (NTSTATUS) 0x9 - The storage control block address is invalid.
Error code: (NTSTATUS) 0xa - The environment is incorrect.
Error code: (NTSTATUS) 0xb - An attempt was made to load a program
with an incorrect format.
Error code: (NTSTATUS) 0xc - The access code is invalid.
Error code: (NTSTATUS) 0xd - The data is invalid.
Error code: (NTSTATUS) 0xe - Not enough storage is available to
complete this operation.
Error code: (NTSTATUS) 0xf - The system cannot find the drive specified.
Error code: (NTSTATUS) 0x10 - The directory cannot be removed.
Error code: (NTSTATUS) 0x11 - The system cannot move the file to a
different disk drive.
Error code: (NTSTATUS) 0x12 - There are no more files.
Error code: (NTSTATUS) 0x13 - The media is write protected.
Error code: (NTSTATUS) 0x14 - The system cannot find the device specified.
Error code: (NTSTATUS) 0x15 - The device is not ready.
Error code: (NTSTATUS) 0x16 - The device does not recognize the command.
Error code: (NTSTATUS) 0x17 - Data error (cyclic redundancy check).
Error code: (NTSTATUS) 0x18 - The program issued a command but the
command length is incorrect.
Error code: (NTSTATUS) 0x19 - The drive cannot locate a specific area
or track on the disk.
Error code: (NTSTATUS) 0x1a - The specified disk or diskette cannot be accessed.
Error code: (NTSTATUS) 0x1b - The drive cannot find the sector requested.
Error code: (NTSTATUS) 0x1c - The printer is out of paper.
Error code: (NTSTATUS) 0x1d - The system cannot write to the specified device.
Error code: (NTSTATUS) 0x1e - The system cannot read from the specified device.
Error code: (NTSTATUS) 0x1f - A device attached to the system is not
functioning.
Error code: (NTSTATUS) 0x20 - The process cannot access the file
because it is being used by another process.
Error code: (NTSTATUS) 0x21 - The process cannot access the file
because another process has locked a portion of the file.
Error code: (NTSTATUS) 0x22 - The wrong diskette is in the drive.
Insert %2 (Volume Serial Number: %3) into drive %1.
Error code: (NTSTATUS) 0x23 -
Error code: (NTSTATUS) 0x24 - Too many files opened for sharing.
Error code: (NTSTATUS) 0x25 -
Error code: (NTSTATUS) 0x26 - Reached the end of the file.
Error code: (NTSTATUS) 0x27 - The disk is full.
Error code: (NTSTATUS) 0x28 -
Error code: (NTSTATUS) 0x29 -
Error code: (NTSTATUS) 0x2a -
Error code: (NTSTATUS) 0x2b -
Error code: (NTSTATUS) 0x2c -
Error code: (NTSTATUS) 0x2d -
Error code: (NTSTATUS) 0x2e -
Error code: (NTSTATUS) 0x2f -
Error code: (NTSTATUS) 0x30 -
Error code: (NTSTATUS) 0x31 -
^ User interrupted
operation error in '.for ($t0 = 0; $t0 < 100 ;r $t0 = $t0 + $t1) {
!error $t0 $t0 } '

so you could setup a .logopen
and increment the pseudo register till 2^ your comps bits

Thanks raj_r, I find you always passing the same values for “Value” and “[Flags]”, i.e. $t0 $t0. Here is the command syntax from debugger help document, but after reading the document, I am still confused what are the legal value range for the 2 parameters? The debugger help document does not cover the legal ranges. Where to look-up?

!error Value [Flags]

regards,
George

----- Original Message ----
From: raj_r
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Sent: Friday, October 10, 2008 1:27:40 AM
Subject: Re: [windbg] about flags for !error command

On 10/9/08, Lin George wrote:
> Thanks raj_r,
>
>
> Could you suggest the best practices from your experience? Never use any flag and let !error automatically find?

well not much i usually try to pass all kinds of stuff to all kinds of
functions and try to find out where it does something which it isnt
expected to do

lkd> r $t0 = 0
lkd> ? $t0
Evaluate expression: 0 = 00000000
lkd> ? $t1
Evaluate expression: 1 = 00000001
lkd> .for ($t0 = 0; $t0 < 100 ;r $t0 = $t0 + $t1) { !error $t0 $t0 }
Error code: (Win32) 0 (0) - The operation completed successfully.
Error code: (NTSTATUS) 0x1 - STATUS_WAIT_1
Error code: (NTSTATUS) 0x2 - STATUS_WAIT_2
Error code: (NTSTATUS) 0x3 - STATUS_WAIT_3
Error code: (NTSTATUS) 0x4 - The system cannot open the file.
Error code: (NTSTATUS) 0x5 - Access is denied.
Error code: (NTSTATUS) 0x6 - The handle is invalid.
Error code: (NTSTATUS) 0x7 - The storage control blocks were destroyed.
Error code: (NTSTATUS) 0x8 - Not enough storage is available to
process this command.
Error code: (NTSTATUS) 0x9 - The storage control block address is invalid.
Error code: (NTSTATUS) 0xa - The environment is incorrect.
Error code: (NTSTATUS) 0xb - An attempt was made to load a program
with an incorrect format.
Error code: (NTSTATUS) 0xc - The access code is invalid.
Error code: (NTSTATUS) 0xd - The data is invalid.
Error code: (NTSTATUS) 0xe - Not enough storage is available to
complete this operation.
Error code: (NTSTATUS) 0xf - The system cannot find the drive specified.
Error code: (NTSTATUS) 0x10 - The directory cannot be removed.
Error code: (NTSTATUS) 0x11 - The system cannot move the file to a
different disk drive.
Error code: (NTSTATUS) 0x12 - There are no more files.
Error code: (NTSTATUS) 0x13 - The media is write protected.
Error code: (NTSTATUS) 0x14 - The system cannot find the device specified.
Error code: (NTSTATUS) 0x15 - The device is not ready.
Error code: (NTSTATUS) 0x16 - The device does not recognize the command.
Error code: (NTSTATUS) 0x17 - Data error (cyclic redundancy check).
Error code: (NTSTATUS) 0x18 - The program issued a command but the
command length is incorrect.
Error code: (NTSTATUS) 0x19 - The drive cannot locate a specific area
or track on the disk.
Error code: (NTSTATUS) 0x1a - The specified disk or diskette cannot be accessed.
Error code: (NTSTATUS) 0x1b - The drive cannot find the sector requested.
Error code: (NTSTATUS) 0x1c - The printer is out of paper.
Error code: (NTSTATUS) 0x1d - The system cannot write to the specified device.
Error code: (NTSTATUS) 0x1e - The system cannot read from the specified device.
Error code: (NTSTATUS) 0x1f - A device attached to the system is not
functioning.
Error code: (NTSTATUS) 0x20 - The process cannot access the file
because it is being used by another process.
Error code: (NTSTATUS) 0x21 - The process cannot access the file
because another process has locked a portion of the file.
Error code: (NTSTATUS) 0x22 - The wrong diskette is in the drive.
Insert %2 (Volume Serial Number: %3) into drive %1.
Error code: (NTSTATUS) 0x23 -
Error code: (NTSTATUS) 0x24 - Too many files opened for sharing.
Error code: (NTSTATUS) 0x25 -
Error code: (NTSTATUS) 0x26 - Reached the end of the file.
Error code: (NTSTATUS) 0x27 - The disk is full.
Error code: (NTSTATUS) 0x28 -
Error code: (NTSTATUS) 0x29 -
Error code: (NTSTATUS) 0x2a -
Error code: (NTSTATUS) 0x2b -
Error code: (NTSTATUS) 0x2c -
Error code: (NTSTATUS) 0x2d -
Error code: (NTSTATUS) 0x2e -
Error code: (NTSTATUS) 0x2f -
Error code: (NTSTATUS) 0x30 -
Error code: (NTSTATUS) 0x31 -
^ User interrupted
operation error in '.for ($t0 = 0; $t0 < 100 ;r $t0 = $t0 + $t1) {
!error $t0 $t0 } '

so you could setup a .logopen
and increment the pseudo register till 2^ your comps bits

—
You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

On 10/10/08, Lin George wrote:
The debugger help document does not cover the legal ranges. Where to look-up?
>
> !error Value [Flags]

legal range for errors can be from 0 to ffffffff or 0 to
ffffffff’ffffffff (0 to 2^32 or 0 to 2^64 or may be 0 to 2^128 and
above in far future) subject to certain conditions like the below one
thats valid for 2^32 range

The error codes returned by a function are not part of the Windows API
specification and can vary by operating system or device driver. For
this reason, we cannot provide the complete list of error codes that
can be returned by each function. There are also many functions whose
documentation does not include even a partial list of error codes that
can be returned.

Error codes are 32-bit values (bit 31 is the most significant bit).
Bit 29 is reserved for application-defined error codes; no system
error code has this bit set. If you are defining an error code for
your application, set this bit to one. That indicates that the error
code has been defined by an application, and ensures that your error
code does not conflict with any error codes defined by the system.

http://msdn.microsoft.com/en-us/library/ms679360(VS.85).aspx

NTSTATUS
2.2.34 NTSTATUS
NTSTATUS is a standard 32-bit datatype for system-supplied status code values.

NTSTATUS values are used to communicate system information. They are
of four types: success values, information values, warnings, and error
values, as specified in [MS-ERREF].

This type is declared as follows:

typedef long NTSTATUS;

http://msdn.microsoft.com/en-us/library/cc230357.aspx

When testing a return value, you should use one of the following
system-supplied macros (defined in ntdef.h):

NT_SUCCESS(Status)
Evaluates to TRUE if the return value specified by Status is a success
type (0 $B!](B 0x3FFFFFFF) or an informational type (0x40000000 $B!](B
0x7FFFFFFF).
NT_INFORMATION(Status)
Evaluates to TRUE if the return value specified by Status is an
informational type (0x40000000 $B!](B 0x7FFFFFFF).
NT_WARNING(Status)
Evaluates to TRUE if the return value specified by Status is a warning
type (0x80000000 $B!](B 0xBFFFFFFF).
NT_ERROR(Status)
Evaluates to TRUE if the return value specified by Status is an error
type (0xC0000000 - 0xFFFFFFFF).

http://msdn.microsoft.com/en-us/library/aa489609.aspx

you can get half a cd full of errors

http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/Windows_Communication_Protocols.zip

only thing you need is the ability to search and unless you develop
the attitude or ability to search ,seek and find what you need on
your own no amount of answers are going to help you

for flags as i already said there are only two values that seem to be working
they are 0 AND 1 as documented

Hi raj_r,

Your reply is really excellent. But when meeting with practical issue, we still meet with issue whether the error code is NTSTATUS or Win32 or something else. From the error code and message itself, it does not tell whehter it is NTSTATUS or Win32 or something else. So, developer when debugging, he or she needs to try !error command with each value for “Value” parameter, this is the pain. I show the sample below.

In this case, I know nothing about whether error code 4000001f is NTSTATUS or Win32 or something, so I tried with parameter value 0 and parameter value 1, and fortunately, I got only one error message and do not get two different error messages.

Here is my output. Do you have any ideas to check whether an error code is from NTSTATUS or Win32 or something else? So that we do not need to try one by one and also no chances to get two different error messages when try with value 0 and value 1?

(1c90.1d70): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!DbgBreakPoint:
00000000`7d61002d cc              int     3
0:000:x86> !error 4000001f 0
Error code: (Win32) 0x4000001f (1073741855) -
0:000:x86> !error 4000001f 1
Error code: (NTSTATUS) 0x4000001f - Exception status code used by Win32 x86 emulation subsystem.
--------------------.


regards,
George

----- Original Message ----
From: raj_r
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Sent: Sunday, October 12, 2008 3:17:52 AM
Subject: Re: [windbg] about flags for !error command

On 10/10/08, Lin George wrote:
The debugger help document does not cover the legal ranges. Where to look-up?
>
> !error Value [Flags]

legal range for errors can be from 0 to ffffffff or 0 to
ffffffff’ffffffff (0 to 2^32 or 0 to 2^64 or may be 0 to 2^128 and
above in far future) subject to certain conditions like the below one
thats valid for 2^32 range

The error codes returned by a function are not part of the Windows API
specification and can vary by operating system or device driver. For
this reason, we cannot provide the complete list of error codes that
can be returned by each function. There are also many functions whose
documentation does not include even a partial list of error codes that
can be returned.

Error codes are 32-bit values (bit 31 is the most significant bit).
Bit 29 is reserved for application-defined error codes; no system
error code has this bit set. If you are defining an error code for
your application, set this bit to one. That indicates that the error
code has been defined by an application, and ensures that your error
code does not conflict with any error codes defined by the system.

http://msdn.microsoft.com/en-us/library/ms679360(VS.85).aspx

NTSTATUS
2.2.34 NTSTATUS
NTSTATUS is a standard 32-bit datatype for system-supplied status code values.

NTSTATUS values are used to communicate system information. They are
of four types: success values, information values, warnings, and error
values, as specified in [MS-ERREF].

This type is declared as follows:

typedef long NTSTATUS;

http://msdn.microsoft.com/en-us/library/cc230357.aspx

When testing a return value, you should use one of the following
system-supplied macros (defined in ntdef.h):

NT_SUCCESS(Status)
Evaluates to TRUE if the return value specified by Status is a success
type (0 － 0x3FFFFFFF) or an informational type (0x40000000 －
0x7FFFFFFF).
NT_INFORMATION(Status)
Evaluates to TRUE if the return value specified by Status is an
informational type (0x40000000 － 0x7FFFFFFF).
NT_WARNING(Status)
Evaluates to TRUE if the return value specified by Status is a warning
type (0x80000000 － 0xBFFFFFFF).
NT_ERROR(Status)
Evaluates to TRUE if the return value specified by Status is an error
type (0xC0000000 - 0xFFFFFFFF).

http://msdn.microsoft.com/en-us/library/aa489609.aspx

you can get half a cd full of errors

http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/Windows_Communication_Protocols.zip

only thing you need is the ability to search and unless you develop
the attitude or ability to search ,seek and find what you need on
your own no amount of answers are going to help you

for flags as i already said there are only two values that seem to be working
they are 0 AND 1 as documented

—
You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Either by knowing which encoding the component in question uses for return codes, or by examining both error texts and seeing if one doesn’t make sense.

In general, the only user mode things that use NTSTATUS are those that call ntdll exports directly, or LSA-related components.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Lin George
Sent: Tuesday, October 14, 2008 3:07 AM
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Subject: Re: [windbg] about flags for !error command

Hi raj_r,

Your reply is really excellent. But when meeting with practical issue, we still meet with issue whether the error code is NTSTATUS or Win32 or something else. From the error code and message itself, it does not tell whehter it is NTSTATUS or Win32 or something else. So, developer when debugging, he or she needs to try !error command with each value for “Value” parameter, this is the pain. I show the sample below.

In this case, I know nothing about whether error code 4000001f is NTSTATUS or Win32 or something, so I tried with parameter value 0 and parameter value 1, and fortunately, I got only one error message and do not get two different error messages.

Here is my output. Do you have any ideas to check whether an error code is from NTSTATUS or Win32 or something else? So that we do not need to try one by one and also no chances to get two different error messages when try with value 0 and value 1?

(1c90.1d70): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!DbgBreakPoint:
00000000`7d61002d cc int 3
0:000:x86> !error 4000001f 0
Error code: (Win32) 0x4000001f (1073741855) -
0:000:x86> !error 4000001f 1
Error code: (NTSTATUS) 0x4000001f - Exception status code used by Win32 x86 emulation subsystem.
--------------------.

regards,
George

----- Original Message ----
From: raj_r
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Sent: Sunday, October 12, 2008 3:17:52 AM
Subject: Re: [windbg] about flags for !error command

On 10/10/08, Lin George wrote:
The debugger help document does not cover the legal ranges. Where to look-up?
>
> !error Value [Flags]

legal range for errors can be from 0 to ffffffff or 0 to
ffffffff’ffffffff (0 to 2^32 or 0 to 2^64 or may be 0 to 2^128 and
above in far future) subject to certain conditions like the below one
thats valid for 2^32 range

The error codes returned by a function are not part of the Windows API
specification and can vary by operating system or device driver. For
this reason, we cannot provide the complete list of error codes that
can be returned by each function. There are also many functions whose
documentation does not include even a partial list of error codes that
can be returned.

Error codes are 32-bit values (bit 31 is the most significant bit).
Bit 29 is reserved for application-defined error codes; no system
error code has this bit set. If you are defining an error code for
your application, set this bit to one. That indicates that the error
code has been defined by an application, and ensures that your error
code does not conflict with any error codes defined by the system.

http://msdn.microsoft.com/en-us/library/ms679360(VS.85).aspx

NTSTATUS
2.2.34 NTSTATUS
NTSTATUS is a standard 32-bit datatype for system-supplied status code values.

NTSTATUS values are used to communicate system information. They are
of four types: success values, information values, warnings, and error
values, as specified in [MS-ERREF].

This type is declared as follows:

typedef long NTSTATUS;

http://msdn.microsoft.com/en-us/library/cc230357.aspx

When testing a return value, you should use one of the following
system-supplied macros (defined in ntdef.h):

NT_SUCCESS(Status)
Evaluates to TRUE if the return value specified by Status is a success
type (0 - 0x3FFFFFFF) or an informational type (0x40000000 -
0x7FFFFFFF).
NT_INFORMATION(Status)
Evaluates to TRUE if the return value specified by Status is an
informational type (0x40000000 - 0x7FFFFFFF).
NT_WARNING(Status)
Evaluates to TRUE if the return value specified by Status is a warning
type (0x80000000 - 0xBFFFFFFF).
NT_ERROR(Status)
Evaluates to TRUE if the return value specified by Status is an error
type (0xC0000000 - 0xFFFFFFFF).

http://msdn.microsoft.com/en-us/library/aa489609.aspx

you can get half a cd full of errors

http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/Windows_Communication_Protocols.zip

only thing you need is the ability to search and unless you develop
the attitude or ability to search ,seek and find what you need on
your own no amount of answers are going to help you

for flags as i already said there are only two values that seem to be working
they are 0 AND 1 as documented

—
You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thanks Skywing!

Two more questions,

1. For a specific API like this, InternetOpen, I read through the document, but for the return value, it is hard to category it into Win32 or Winsock or NTSTATUS or NetAPI, so it mean just from MSDN document, it never formally documented which categories the error code belongs to?

http://msdn.microsoft.com/en-us/library/aa385096(VS.85).aspx

2. I checked again about my WoW64 sample, I think because WoW64 is driver/kernel level component, so it uses NTSTATUS error code?

regards,
George

----- Original Message ----
From: Skywing
To: Kernel Debugging Interest List
Sent: Tuesday, October 14, 2008 10:16:21 PM
Subject: RE: [windbg] about flags for !error command

Either by knowing which encoding the component in question uses for return codes, or by examining both error texts and seeing if one doesn’t make sense.

In general, the only user mode things that use NTSTATUS are those that call ntdll exports directly, or LSA-related components.

- S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Lin George
Sent: Tuesday, October 14, 2008 3:07 AM
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Subject: Re: [windbg] about flags for !error command

Hi raj_r,

Your reply is really excellent. But when meeting with practical issue, we still meet with issue whether the error code is NTSTATUS or Win32 or something else. From the error code and message itself, it does not tell whehter it is NTSTATUS or Win32 or something else. So, developer when debugging, he or she needs to try !error command with each value for “Value” parameter, this is the pain. I show the sample below.

In this case, I know nothing about whether error code 4000001f is NTSTATUS or Win32 or something, so I tried with parameter value 0 and parameter value 1, and fortunately, I got only one error message and do not get two different error messages.

Here is my output. Do you have any ideas to check whether an error code is from NTSTATUS or Win32 or something else? So that we do not need to try one by one and also no chances to get two different error messages when try with value 0 and value 1?

--------------------
(1c90.1d70): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!DbgBreakPoint:
00000000`7d61002d cc? ? ? ? ? ? ? int? ? 3
0:000:x86> !error 4000001f 0
Error code: (Win32) 0x4000001f (1073741855) -
0:000:x86> !error 4000001f 1
Error code: (NTSTATUS) 0x4000001f - Exception status code used by Win32 x86 emulation subsystem.
--------------------.

regards,
George

----- Original Message ----
From: raj_r
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Sent: Sunday, October 12, 2008 3:17:52 AM
Subject: Re: [windbg] about flags for !error command

On 10/10/08, Lin George wrote:
The debugger help document does not cover the legal ranges. Where to look-up?
>
> !error Value [Flags]

legal range for errors can be from 0 to ffffffff? or 0 to
ffffffff’ffffffff (0 to 2^32? or 0 to 2^64 or may be 0 to 2^128 and
above in far future) subject to certain conditions like the below one
thats valid for 2^32 range

The error codes returned by a function are not part of the Windows API
specification and can vary by operating system or device driver. For
this reason, we cannot provide the complete list of error codes that
can be returned by each function. There are also many functions whose
documentation does not include even a partial list of error codes that
can be returned.

Error codes are 32-bit values (bit 31 is the most significant bit).
Bit 29 is reserved for application-defined error codes; no system
error code has this bit set. If you are defining an error code for
your application, set this bit to one. That indicates that the error
code has been defined by an application, and ensures that your error
code does not conflict with any error codes defined by the system.

http://msdn.microsoft.com/en-us/library/ms679360(VS.85).aspx

NTSTATUS
2.2.34 NTSTATUS
NTSTATUS is a standard 32-bit datatype for system-supplied status code values.

NTSTATUS values are used to communicate system information. They are
of four types: success values, information values, warnings, and error
values, as specified in [MS-ERREF].

This type is declared as follows:

typedef long NTSTATUS;

http://msdn.microsoft.com/en-us/library/cc230357.aspx

When testing a return value, you should use one of the following
system-supplied macros (defined in ntdef.h):

NT_SUCCESS(Status)
Evaluates to TRUE if the return value specified by Status is a success
type (0 - 0x3FFFFFFF) or an informational type (0x40000000 -
0x7FFFFFFF).
NT_INFORMATION(Status)
Evaluates to TRUE if the return value specified by Status is an
informational type (0x40000000 - 0x7FFFFFFF).
NT_WARNING(Status)
Evaluates to TRUE if the return value specified by Status is a warning
type (0x80000000 - 0xBFFFFFFF).
NT_ERROR(Status)
Evaluates to TRUE if the return value specified by Status is an error
type (0xC0000000 - 0xFFFFFFFF).

http://msdn.microsoft.com/en-us/library/aa489609.aspx

you can get half a? cd full of? errors

http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/Windows_Communication_Protocols.zip

only thing you need is the ability to search and unless you develop
the attitude or ability to search ,seek and find? what you need on
your own no amount of answers are going to help you

for flags as i already said there are only two values that seem to be working
they are 0 AND 1 as documented

—
You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

http://www.codeguru.com/forum/showthread.php?p=1770876#post1770876

An MVP (Victor Nijegorodov) took some of his own free time to answer this
for you for yesterday George.

C

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lin George
Sent: 15 October 2008 08:03
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Subject: Re: [windbg] about flags for !error command

Thanks Skywing!

Two more questions,

1. For a specific API like this, InternetOpen, I read through the document,
   but for the return value, it is hard to category it into Win32 or Winsock or
   NTSTATUS or NetAPI, so it mean just from MSDN document, it never formally
   documented which categories the error code belongs to?

http://msdn.microsoft.com/en-us/library/aa385096(VS.85).aspx

2. I checked again about my WoW64 sample, I think because WoW64 is
   driver/kernel level component, so it uses NTSTATUS error code?

regards,
George

----- Original Message ----
From: Skywing
To: Kernel Debugging Interest List
Sent: Tuesday, October 14, 2008 10:16:21 PM
Subject: RE: [windbg] about flags for !error command

Either by knowing which encoding the component in question uses for return
codes, or by examining both error texts and seeing if one doesn’t make
sense.

In general, the only user mode things that use NTSTATUS are those that call
ntdll exports directly, or LSA-related components.

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lin George
Sent: Tuesday, October 14, 2008 3:07 AM
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Subject: Re: [windbg] about flags for !error command

Hi raj_r,

Your reply is really excellent. But when meeting with practical issue, we
still meet with issue whether the error code is NTSTATUS or Win32 or
something else. From the error code and message itself, it does not tell
whehter it is NTSTATUS or Win32 or something else. So, developer when
debugging, he or she needs to try !error command with each value for “Value”
parameter, this is the pain. I show the sample below.

In this case, I know nothing about whether error code 4000001f is NTSTATUS
or Win32 or something, so I tried with parameter value 0 and parameter value
1, and fortunately, I got only one error message and do not get two
different error messages.

Here is my output. Do you have any ideas to check whether an error code is
from NTSTATUS or Win32 or something else? So that we do not need to try one
by one and also no chances to get two different error messages when try with
value 0 and value 1?

--------------------
(1c90.1d70): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!DbgBreakPoint:
00000000`7d61002d cc? ? ? ? ? ? ? int? ? 3
0:000:x86> !error 4000001f 0
Error code: (Win32) 0x4000001f (1073741855) - text>
0:000:x86> !error 4000001f 1
Error code: (NTSTATUS) 0x4000001f - Exception status code used by Win32 x86
emulation subsystem.
--------------------.

regards,
George

----- Original Message ----
From: raj_r
To: Kernel Debugging Interest List
Cc: Kernel Debugging Interest List
Sent: Sunday, October 12, 2008 3:17:52 AM
Subject: Re: [windbg] about flags for !error command

On 10/10/08, Lin George wrote:
The debugger help document does not cover the legal ranges. Where to
look-up?
>
> !error Value [Flags]

legal range for errors can be from 0 to ffffffff? or 0 to
ffffffff’ffffffff (0 to 2^32? or 0 to 2^64 or may be 0 to 2^128 and
above in far future) subject to certain conditions like the below one
thats valid for 2^32 range

The error codes returned by a function are not part of the Windows API
specification and can vary by operating system or device driver. For
this reason, we cannot provide the complete list of error codes that
can be returned by each function. There are also many functions whose
documentation does not include even a partial list of error codes that
can be returned.

Error codes are 32-bit values (bit 31 is the most significant bit).
Bit 29 is reserved for application-defined error codes; no system
error code has this bit set. If you are defining an error code for
your application, set this bit to one. That indicates that the error
code has been defined by an application, and ensures that your error
code does not conflict with any error codes defined by the system.

http://msdn.microsoft.com/en-us/library/ms679360(VS.85).aspx

NTSTATUS
2.2.34 NTSTATUS
NTSTATUS is a standard 32-bit datatype for system-supplied status code
values.

NTSTATUS values are used to communicate system information. They are
of four types: success values, information values, warnings, and error
values, as specified in [MS-ERREF].

This type is declared as follows:

typedef long NTSTATUS;

http://msdn.microsoft.com/en-us/library/cc230357.aspx

When testing a return value, you should use one of the following
system-supplied macros (defined in ntdef.h):

NT_SUCCESS(Status)
Evaluates to TRUE if the return value specified by Status is a success
type (0 - 0x3FFFFFFF) or an informational type (0x40000000 -
0x7FFFFFFF).
NT_INFORMATION(Status)
Evaluates to TRUE if the return value specified by Status is an
informational type (0x40000000 - 0x7FFFFFFF).
NT_WARNING(Status)
Evaluates to TRUE if the return value specified by Status is a warning
type (0x80000000 - 0xBFFFFFFF).
NT_ERROR(Status)
Evaluates to TRUE if the return value specified by Status is an error
type (0xC0000000 - 0xFFFFFFFF).

http://msdn.microsoft.com/en-us/library/aa489609.aspx

you can get half a? cd full of? errors

http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F8180
2D92C/Windows_Communication_Protocols.zip

only thing you need is the ability to search and unless you develop
the attitude or ability to search ,seek and find? what you need on
your own no amount of answers are going to help you

for flags as i already said there are only two values that seem to be
working
they are 0 AND 1 as documented

—
You are currently subscribed to windbg as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Information from ESET NOD32 Antivirus, version of virus signature
database 3522 (20081014)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com