Reading Dump file through Debug engine API

WINDBG
1

Hi all,
I have written a small program using Debug engine API to read a dump file.
I am executing “!analyze -v” command through code.

I am able to get almost every detail that could be extracted with above command but not the Process Name and Image name.

I really don’t know where I’m going wrong.

Things i tried:
1> copied the dll’s ext,exts,Kdexts,kext to the same folder where my exe is present.
2> also copied the symsrv.dll
3> for symbol path i am using " srv*http://msdl.microsoft.com/download/symbols"

but so far it didn’t work.

The result i’m getting is :

**********output after analyze command:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 84d97860, Terminating object
Arg3: 84d979cc, Process image file name
Arg4: 8285cec0, Explanatory message (ascii)

Debugging Details:

***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057.

| |
| NT symbols are not available |
| reduced functionality |
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase

PROCESS_OBJECT: 84d97860

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAULTING_MODULE: 00000000

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xF4

CURRENT_IRQL: 0

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
950dbc9c 829223af 000000f4 00000003 84d97860 0x82722bfc
950dbcc0 828a0009 8285cec0 84d979cc 84d97ad0 0x829223af
950dbcf0 8289ff4c 84d97860 8447b030 00000001 0x828a0009
950dbd24 826818c6 000001e0 00000001 001cebb0 0x8289ff4c
950dbd34 77be70f4 badb0d00 001ceba8 00000000 0x826818c6
950dbd38 badb0d00 001ceba8 00000000 00000000 0x77be70f4
950dbd3c 001ceba8 00000000 00000000 00000000 0xbadb0d00
950dbd40 00000000 00000000 00000000 00000000 0x1ceba8

STACK_COMMAND: kb

BUCKET_ID: CORRUPT_MODULELIST

MODULE_NAME: Unknown_Module
*** Followup info cannot be found !!! Please contact “Debugger Team”

2

Did you also put DbgEng.dll in the directory? Does the dumpstk sample from
the Debugger SDK work for you?

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@windbg…

Hi all,
I have written a small program using Debug engine API to read a dump file.
I am executing “!analyze -v” command through code.

I am able to get almost every detail that could be extracted with above
command but not the Process Name and Image name.

I really don’t know where I’m going wrong.

Things i tried:
1> copied the dll’s ext,exts,Kdexts,kext to the same folder where my exe is
present.
2> also copied the symsrv.dll
3> for symbol path i am using "
srv*http://msdl.microsoft.com/download/symbols"

but so far it didn’t work.

The result i’m getting is :

**********output after analyze command:

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or
been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 84d97860, Terminating object
Arg3: 84d979cc, Process image file name
Arg4: 8285cec0, Explanatory message (ascii)

Debugging Details:

***** Debugger could not find nt in module list, module list might be
corrupt, error 0x80070057.

| |
| NT symbols are not available |
| reduced functionality |
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase

PROCESS_OBJECT: 84d97860

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAULTING_MODULE: 00000000

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xF4

CURRENT_IRQL: 0

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
950dbc9c 829223af 000000f4 00000003 84d97860 0x82722bfc
950dbcc0 828a0009 8285cec0 84d979cc 84d97ad0 0x829223af
950dbcf0 8289ff4c 84d97860 8447b030 00000001 0x828a0009
950dbd24 826818c6 000001e0 00000001 001cebb0 0x8289ff4c
950dbd34 77be70f4 badb0d00 001ceba8 00000000 0x826818c6
950dbd38 badb0d00 001ceba8 00000000 00000000 0x77be70f4
950dbd3c 001ceba8 00000000 00000000 00000000 0xbadb0d00
950dbd40 00000000 00000000 00000000 00000000 0x1ceba8

STACK_COMMAND: kb

BUCKET_ID: CORRUPT_MODULELIST

MODULE_NAME: Unknown_Module
*** Followup info cannot be found !!! Please contact “Debugger Team”

3

Yes scott i have also added DbgEng.dll in the directory.
I tried with the sample dumpstk code … The output from dumpstk code is same as output from my code

Image name, module name and bucketID still is not able to resolve but in windbg i’m able to receive all those things.

4

I’m thinking that there is some problem with symbol path… when i configured exe without any symbol path i got the same result…

may be i’m giving wrong symbol path or symbol is not getting downloaded from the url passed in symbol path

5

symsrv.dll is capable of locating proper symbols if _NT_SYMBOL_PATH
environment variable is set
a sample _NT_SYMBOL_PATH will look like

_NT_SYMBOL_PATH=SRV*C:\symbols*http://msdl.microsoft.com/download/symbols

the bare minimum code that executes analyze (as a stand alone exe not
as an extension dll) posted below

#define WRAP( x ) if (( status = x ) != \
S_OK ) { printf(“failed on %d\n”,LINE); return 0; };
#include <stdio.h>
#include <engextcpp.hpp>
#include “out.cpp” // copy paste from assert sample
IDebugClient* g_Client = NULL;
IDebugControl* g_Control = NULL;
HRESULT status = E_FAIL;
int __cdecl main (void){
WRAP(DebugCreate(__uuidof(IDebugClient),(void**)&g_Client));
WRAP(g_Client->QueryInterface(__uuidof(IDebugControl),(void**)&g_Control));
WRAP(g_Client->OpenDumpFile(“test.dmp”));
WRAP(g_Control->WaitForEvent(0,INFINITE));
WRAP(g_Client->SetOutputCallbacks(&g_OutputCb));
WRAP(g_Control->Execute(1,“!analyze -v”,0));
return 0;
}

On 3/5/15, xxxxx@hotmail.com wrote:
> I’m thinking that there is some problem with symbol path… when i configured
> exe without any symbol path i got the same result…
>
> may be i’m giving wrong symbol path or symbol is not getting downloaded from
> the url passed in symbol path
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></engextcpp.hpp></stdio.h>