symbol problems

WINDBG
1

my reliable windbg got mad recently saying it cant find symbols

here is the error details

lkd> .reload
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
SYMSRV: e:\windbg\symbolsold\ntoskrnl.pdb\7DEB5F662C1B4675A79BE082B317F5402\ntoskrnl.pdb
not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/7DEB5F662C1B4675A79BE082B317F5402/ntoskrnl.pdb
not found
DBGHELP: ntoskrnl.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for ntoskrnl.exe -
DBGHELP: nt - export symbols
Loading Kernel Symbols

Loading User Symbols

Loading unloaded module list

DBGHELP: ntdll - public symbols
e:\windbg\symbolsold\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
<------------------ can find this if i used .symfix to point it to an
old cache which i renamed as symbols old

the only new twist to this windbg setup is the explorer is running in
system account

are there any known problems for windbg to find locate or download symbols
if im running my explorer.exe in system account ?

im in system account like this

at “some future minute” / interractive cmd.exe
taskkill /f /im explorer.exe
explorer.exe
run windbg.bat
which contain

set _NT_SYMBOL_PATH=srv*%cd%\symbols*http://msdl.microsoft.com/download/symbols
windbg

windbg fires up fine
i can get lkd to work
but it cant find symbols

any help pointers flames google tips are welcome

regards

raj_r

2

Is ‘e:’ a mapped driver? If so, it probably doesn’t exist from the
point of view of LocalSystem.

I have to ask, why are you doing this?

mm

raj_r wrote:

my reliable windbg got mad recently saying it cant find symbols

here is the error details

lkd> .reload
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
SYMSRV: e:\windbg\symbolsold\ntoskrnl.pdb\7DEB5F662C1B4675A79BE082B317F5402\ntoskrnl.pdb
not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/7DEB5F662C1B4675A79BE082B317F5402/ntoskrnl.pdb
not found
DBGHELP: ntoskrnl.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for ntoskrnl.exe -
DBGHELP: nt - export symbols
Loading Kernel Symbols

Loading User Symbols

Loading unloaded module list

DBGHELP: ntdll - public symbols
e:\windbg\symbolsold\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
<------------------ can find this if i used .symfix to point it to an
old cache which i renamed as symbols old

the only new twist to this windbg setup is the explorer is running in
system account

are there any known problems for windbg to find locate or download symbols
if im running my explorer.exe in system account ?

im in system account like this

at “some future minute” / interractive cmd.exe
taskkill /f /im explorer.exe
explorer.exe
run windbg.bat
which contain

set _NT_SYMBOL_PATH=srv*%cd%\symbols*http://msdl.microsoft.com/download/symbols
windbg

windbg fires up fine
i can get lkd to work
but it cant find symbols

any help pointers flames google tips are welcome

regards

raj_r

3

e is pendrive (flashdrive ? the stick you stick into usb port and gets
shown as remaovable storage in My Computer) windbg is installed in it

sure you can ask

i’m looking at some crap in a SeDebugPrivilege less Admin User box
and im getting SeDebugPrivileges by setting Explorer as System Account

yeah i know i can set Debug Privileges using secpol.msc

but it wont work without reboot (no runas doesn’t work)

so shortcut to dump some part of kernel memory including !process 0 0

any ideas why windbg cant find symbols in this scenerio ?

On 1/11/08, Martin O’Brien wrote:
> Is ‘e:’ a mapped driver? If so, it probably doesn’t exist from the
> point of view of LocalSystem.
>
> I have to ask, why are you doing this?
>
> mm
>
>
>
> raj_r wrote:
> > my reliable windbg got mad recently saying it cant find symbols
> >
> > here is the error details
> >
> > lkd> .reload
> > Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
> > SYMSRV: e:\windbg\symbolsold\ntoskrnl.pdb\7DEB5F662C1B4675A79BE082B317F5402\ntoskrnl.pdb
> > not found
> > SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/7DEB5F662C1B4675A79BE082B317F5402/ntoskrnl.pdb
> > not found
> > DBGHELP: ntoskrnl.pdb - file not found
> > *** ERROR: Symbol file could not be found. Defaulted to export
> > symbols for ntoskrnl.exe -
> > DBGHELP: nt - export symbols
> > Loading Kernel Symbols
> > …
> > Loading User Symbols
> > …
> > Loading unloaded module list
> > …
> > DBGHELP: ntdll - public symbols
> > e:\windbg\symbolsold\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
> > <------------------ can find this if i used .symfix to point it to an
> > old cache which i renamed as symbols old
> >
> >
> > the only new twist to this windbg setup is the explorer is running in
> > system account
> >
> > are there any known problems for windbg to find locate or download symbols
> > if im running my explorer.exe in system account ?
> >
> > im in system account like this
> >
> > at “some future minute” / interractive cmd.exe
> > taskkill /f /im explorer.exe
> > explorer.exe
> > run windbg.bat
> > which contain
> >
> > set _NT_SYMBOL_PATH=srv*%cd%\symbols*http://msdl.microsoft.com/download/symbols
> > windbg
> >
> > windbg fires up fine
> > i can get lkd to work
> > but it cant find symbols
> >
> > any help pointers flames google tips are welcome
> >
> > regards
> >
> > raj_r
> >
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

4

I guess I would run WinObj (sysinternals) and see where ‘e:’ is
appearing - under ‘GLOBAL??’ or under ‘Sessions.…’ If it is appearing
under the later, then I don’t think WinDbg would know about it in your
scenario. I just noticed that you can’t find files on SymServer either.
I don’t imagine that LocalSystem has network rights, so I suppose that
is why that would be failing. If not, my bright ideas come to a rather
abrupt end, and I think that is is going to be very hard to say what
this scenario might do, as I seriously doubt anyone ever tested it
during development.

Good luck,

mm

raj_r wrote:

e is pendrive (flashdrive ? the stick you stick into usb port and gets
shown as remaovable storage in My Computer) windbg is installed in it

sure you can ask

i’m looking at some crap in a SeDebugPrivilege less Admin User box
and im getting SeDebugPrivileges by setting Explorer as System Account

yeah i know i can set Debug Privileges using secpol.msc

but it wont work without reboot (no runas doesn’t work)

so shortcut to dump some part of kernel memory including !process 0 0

any ideas why windbg cant find symbols in this scenerio ?

On 1/11/08, Martin O’Brien wrote:
>> Is ‘e:’ a mapped driver? If so, it probably doesn’t exist from the
>> point of view of LocalSystem.
>>
>> I have to ask, why are you doing this?
>>
>> mm
>>
>>
>>
>> raj_r wrote:
>>> my reliable windbg got mad recently saying it cant find symbols
>>>
>>> here is the error details
>>>
>>> lkd> .reload
>>> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
>>> SYMSRV: e:\windbg\symbolsold\ntoskrnl.pdb\7DEB5F662C1B4675A79BE082B317F5402\ntoskrnl.pdb
>>> not found
>>> SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/7DEB5F662C1B4675A79BE082B317F5402/ntoskrnl.pdb
>>> not found
>>> DBGHELP: ntoskrnl.pdb - file not found
>>> *** ERROR: Symbol file could not be found. Defaulted to export
>>> symbols for ntoskrnl.exe -
>>> DBGHELP: nt - export symbols
>>> Loading Kernel Symbols
>>> …
>>> Loading User Symbols
>>> …
>>> Loading unloaded module list
>>> …
>>> DBGHELP: ntdll - public symbols
>>> e:\windbg\symbolsold\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
>>> <------------------ can find this if i used .symfix to point it to an
>>> old cache which i renamed as symbols old
>>>
>>>
>>> the only new twist to this windbg setup is the explorer is running in
>>> system account
>>>
>>> are there any known problems for windbg to find locate or download symbols
>>> if im running my explorer.exe in system account ?
>>>
>>> im in system account like this
>>>
>>> at “some future minute” / interractive cmd.exe
>>> taskkill /f /im explorer.exe
>>> explorer.exe
>>> run windbg.bat
>>> which contain
>>>
>>> set _NT_SYMBOL_PATH=srv*%cd%\symbols*http://msdl.microsoft.com/download/symbols
>>> windbg
>>>
>>> windbg fires up fine
>>> i can get lkd to work
>>> but it cant find symbols
>>>
>>> any help pointers flames google tips are welcome
>>>
>>> regards
>>>
>>> raj_r
>>>
>> —
>> You are currently subscribed to windbg as: xxxxx@gmail.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>

5

thanks martin ,

winobj doesnt let one copy or export (not at first sight atleast

so ill write here what it says

under global

Name G: yes today its g: :slight_smile:

type Symbolic link

symlink \Device\Harddisk\DP(1)0-0+8

under right click properties it shows the same with 2 referances and
creation time 15 minutes ago

On 1/11/08, Martin O’Brien wrote:
> I guess I would run WinObj (sysinternals) and see where ‘e:’ is
> appearing - under ‘GLOBAL??’ or under ‘Sessions.…’ If it is appearing
> under the later, then I don’t think WinDbg would know about it in your
> scenario. I just noticed that you can’t find files on SymServer either.
> I don’t imagine that LocalSystem has network rights, so I suppose that
> is why that would be failing. If not, my bright ideas come to a rather
> abrupt end, and I think that is is going to be very hard to say what
> this scenario might do, as I seriously doubt anyone ever tested it
> during development.
>
> Good luck,
>
> mm
>
> raj_r wrote:
> > e is pendrive (flashdrive ? the stick you stick into usb port and gets
> > shown as remaovable storage in My Computer) windbg is installed in it
> >
> > sure you can ask
> >
> > i’m looking at some crap in a SeDebugPrivilege less Admin User box
> > and im getting SeDebugPrivileges by setting Explorer as System Account
> >
> > yeah i know i can set Debug Privileges using secpol.msc
> >
> > but it wont work without reboot (no runas doesn’t work)
> >
> > so shortcut to dump some part of kernel memory including !process 0 0
> >
> > any ideas why windbg cant find symbols in this scenerio ?
> >
> >
> >
> >
> >
> >
> >
> >
> > On 1/11/08, Martin O’Brien wrote:
> >> Is ‘e:’ a mapped driver? If so, it probably doesn’t exist from the
> >> point of view of LocalSystem.
> >>
> >> I have to ask, why are you doing this?
> >>
> >> mm
> >>
> >>
> >>
> >> raj_r wrote:
> >>> my reliable windbg got mad recently saying it cant find symbols
> >>>
> >>> here is the error details
> >>>
> >>> lkd> .reload
> >>> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
> >>> SYMSRV: e:\windbg\symbolsold\ntoskrnl.pdb\7DEB5F662C1B4675A79BE082B317F5402\ntoskrnl.pdb
> >>> not found
> >>> SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/7DEB5F662C1B4675A79BE082B317F5402/ntoskrnl.pdb
> >>> not found
> >>> DBGHELP: ntoskrnl.pdb - file not found
> >>> *** ERROR: Symbol file could not be found. Defaulted to export
> >>> symbols for ntoskrnl.exe -
> >>> DBGHELP: nt - export symbols
> >>> Loading Kernel Symbols
> >>> …
> >>> Loading User Symbols
> >>> …
> >>> Loading unloaded module list
> >>> …
> >>> DBGHELP: ntdll - public symbols
> >>> e:\windbg\symbolsold\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
> >>> <------------------ can find this if i used .symfix to point it to an
> >>> old cache which i renamed as symbols old
> >>>
> >>>
> >>> the only new twist to this windbg setup is the explorer is running in
> >>> system account
> >>>
> >>> are there any known problems for windbg to find locate or download symbols
> >>> if im running my explorer.exe in system account ?
> >>>
> >>> im in system account like this
> >>>
> >>> at “some future minute” / interractive cmd.exe
> >>> taskkill /f /im explorer.exe
> >>> explorer.exe
> >>> run windbg.bat
> >>> which contain
> >>>
> >>> set _NT_SYMBOL_PATH=srv*%cd%\symbols*http://msdl.microsoft.com/download/symbols
> >>> windbg
> >>>
> >>> windbg fires up fine
> >>> i can get lkd to work
> >>> but it cant find symbols
> >>>
> >>> any help pointers flames google tips are welcome
> >>>
> >>> regards
> >>>
> >>> raj_r
> >>>
> >> —
> >> You are currently subscribed to windbg as: xxxxx@gmail.com
> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >>
> >
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

6

sorry for consecutive post

i dont get this

I don’t imagine that LocalSystem has network rights, so I suppose that
is why that would be failing.

is this right different from my ie thats open and answering your queries

i mean i killed explorer started a new explorer and double clicked
internet explorer icon in desktop opened gmail and im writing this
mail

so im confused a bit

raj_r

On 1/11/08, raj_r wrote:
> thanks martin ,
>
> winobj doesnt let one copy or export (not at first sight atleast
>
> so ill write here what it says
>
> under global
>
> Name G: yes today its g: :slight_smile:
>
> type Symbolic link
>
> symlink \Device\Harddisk\DP(1)0-0+8
>
> under right click properties it shows the same with 2 referances and
> creation time 15 minutes ago
>
>
>
>
>
>
>
> On 1/11/08, Martin O’Brien wrote:
> > I guess I would run WinObj (sysinternals) and see where ‘e:’ is
> > appearing - under ‘GLOBAL??’ or under ‘Sessions.…’ If it is appearing
> > under the later, then I don’t think WinDbg would know about it in your
> > scenario. I just noticed that you can’t find files on SymServer either.
> > I don’t imagine that LocalSystem has network rights, so I suppose that
> > is why that would be failing. If not, my bright ideas come to a rather
> > abrupt end, and I think that is is going to be very hard to say what
> > this scenario might do, as I seriously doubt anyone ever tested it
> > during development.
> >
> > Good luck,
> >
> > mm
> >
> > raj_r wrote:
> > > e is pendrive (flashdrive ? the stick you stick into usb port and gets
> > > shown as remaovable storage in My Computer) windbg is installed in it
> > >
> > > sure you can ask
> > >
> > > i’m looking at some crap in a SeDebugPrivilege less Admin User box
> > > and im getting SeDebugPrivileges by setting Explorer as System Account
> > >
> > > yeah i know i can set Debug Privileges using secpol.msc
> > >
> > > but it wont work without reboot (no runas doesn’t work)
> > >
> > > so shortcut to dump some part of kernel memory including !process 0 0
> > >
> > > any ideas why windbg cant find symbols in this scenerio ?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On 1/11/08, Martin O’Brien wrote:
> > >> Is ‘e:’ a mapped driver? If so, it probably doesn’t exist from the
> > >> point of view of LocalSystem.
> > >>
> > >> I have to ask, why are you doing this?
> > >>
> > >> mm
> > >>
> > >>
> > >>
> > >> raj_r wrote:
> > >>> my reliable windbg got mad recently saying it cant find symbols
> > >>>
> > >>> here is the error details
> > >>>
> > >>> lkd> .reload
> > >>> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
> > >>> SYMSRV: e:\windbg\symbolsold\ntoskrnl.pdb\7DEB5F662C1B4675A79BE082B317F5402\ntoskrnl.pdb
> > >>> not found
> > >>> SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/7DEB5F662C1B4675A79BE082B317F5402/ntoskrnl.pdb
> > >>> not found
> > >>> DBGHELP: ntoskrnl.pdb - file not found
> > >>> *** ERROR: Symbol file could not be found. Defaulted to export
> > >>> symbols for ntoskrnl.exe -
> > >>> DBGHELP: nt - export symbols
> > >>> Loading Kernel Symbols
> > >>> …
> > >>> Loading User Symbols
> > >>> …
> > >>> Loading unloaded module list
> > >>> …
> > >>> DBGHELP: ntdll - public symbols
> > >>> e:\windbg\symbolsold\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
> > >>> <------------------ can find this if i used .symfix to point it to an
> > >>> old cache which i renamed as symbols old
> > >>>
> > >>>
> > >>> the only new twist to this windbg setup is the explorer is running in
> > >>> system account
> > >>>
> > >>> are there any known problems for windbg to find locate or download symbols
> > >>> if im running my explorer.exe in system account ?
> > >>>
> > >>> im in system account like this
> > >>>
> > >>> at “some future minute” / interractive cmd.exe
> > >>> taskkill /f /im explorer.exe
> > >>> explorer.exe
> > >>> run windbg.bat
> > >>> which contain
> > >>>
> > >>> set _NT_SYMBOL_PATH=srv*%cd%\symbols*http://msdl.microsoft.com/download/symbols
> > >>> windbg
> > >>>
> > >>> windbg fires up fine
> > >>> i can get lkd to work
> > >>> but it cant find symbols
> > >>>
> > >>> any help pointers flames google tips are welcome
> > >>>
> > >>> regards
> > >>>
> > >>> raj_r
> > >>>
> > >> —
> > >> You are currently subscribed to windbg as: xxxxx@gmail.com
> > >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >>
> > >
> >
> > —
> > You are currently subscribed to windbg as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>

7

since there seems to be no ideas and martin seems to have given up

im posting this post for just a complete description of the problem

there seems to be a really different behaviour

i deleted all symbol folders symsrv.yes files , pingme files etc

and in the Default SeDebugPrivilegeLess Admin Account

ran windbg and opened an executable (windbg itself as debugee)

  1. windbg runs fine
  2. the debugee runs fine
  3. symsrv runs fine
    4)it fetches all the symbols fine
    simply wunderrrfull

now i close everything
open a cmd prompt
do
at 10.39pm /interactive taskmgr.exe
and wait till task mgr is spawned

in taskmgr i kill the running explorer.exe

file -> run -> and spawn a newexplorer

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\NetworkService\Desktop>tasklist /v /fi “imagename eq e
xplorer.exe” /fo “list”

Image Name: EXPLORER.EXE
PID: 3084
Session Name: Console
Session#: 0
Mem Usage: 10,048 K
Status: Running
User Name: NT AUTHORITY\SYSTEM
CPU Time: 0:00:09
Window Title: N/A

C:\Documents and Settings\NetworkService\Desktop>

now i spawn windbg and open windbg again in it as debuggee

in this scenerio symsrv can find only the symbols that are already
downloaded and present

symsrv simply fails to fetch symbols for any newly loaded module whose
symbols are not present

here is a dump of the session below for any curious minds and any
possible explanation of this weird behaviour

as you can see symsrv fails to fetch symbols for uxtheme and
richedit20.dll which are newly loaded for which symbols are not
available while it passes muster for all other modules

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: E:\windbg\windbg.exe
Symbol search path is:
srv*E:\windbg\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 01000000 01093000 windbg.exe
ModLoad: 7c900000 7c9b0000 ntdll.dll
ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77f10000 77f57000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 02000000 02339000 E:\windbg\dbgeng.dll
ModLoad: 03000000 03115000 E:\windbg\dbghelp.dll
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll
ModLoad: 7c9c0000 7d399000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 773d0000 774d3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2649_x-ww_aac16c8b\COMCTL32.dll
ModLoad: 71b20000 71b32000 C:\WINDOWS\system32\MPR.dll
(abc.ab8): Break instruction exception - code 80000003 (first chance)
eax=00191eb4 ebx=7ffdf000 ecx=00000003 edx=00000008 esi=00191f48 edi=00191eb4
eip=7c901230 esp=0006fb20 ebp=0006fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c901230 cc int 3

0:000> lm
start end module name
01000000 01093000 windbg (deferred)
02000000 02339000 dbgeng (deferred)
03000000 03115000 dbghelp (deferred)
71b20000 71b32000 MPR (deferred)
773d0000 774d3000 COMCTL32 (deferred)
774e0000 7761d000 ole32 (deferred)
77c00000 77c08000 VERSION (deferred)
77c10000 77c68000 msvcrt (deferred)
77d40000 77dd0000 USER32 (deferred)
77dd0000 77e6b000 ADVAPI32 (deferred)
77e70000 77f01000 RPCRT4 (deferred)
77f10000 77f57000 GDI32 (deferred)
77f60000 77fd6000 SHLWAPI (deferred)
7c800000 7c8f4000 kernel32 (deferred)
7c900000 7c9b0000 ntdll (pdb symbols)
E:\windbg\symbols\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
7c9c0000 7d399000 SHELL32 (deferred)
0:000> g

NEWLY LOADED MODULES

ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll ModLoad:
74e30000 74e9c000 C:\WINDOWS\system32\RICHED20.DLL

USED CTRL+BREAK

(abc.c00): Break instruction exception - code 80000003 (first chance)
used ctrl+break here
eax=7ffdf000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c901230 esp=008affcc ebp=008afff4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
ntdll!DbgBreakPoint:
7c901230 cc int 3

0:001> !sym noisy
noisy mode - symbol prompts on
0:001> .reload /f
Reloading current modules
.
DBGHELP: windbg - public symbols
E:\windbg\symbols\windbg.pdb\6FD637A38BC447FBA800CCA78B20B5691\windbg.pdb
.
DBGHELP: dbgeng - public symbols
E:\windbg\symbols\dbgeng.pdb\820A161CDEB84DB8AAB1C1C6EF1D64341\dbgeng.pdb
.
DBGHELP: dbghelp - public symbols
E:\windbg\symbols\dbghelp.pdb\6AD43BA6261A40E8A812FA07EABD0E191\dbghelp.pdb

symsrv fails to fetch symbols :frowning:

.
SYMSRV: WinHttp interface using proxy server: none
SYMSRV: E:\windbg\symbols\uxtheme.pdb\0783E240E97C4C77AEF70C39FB0120212\uxtheme.pdb
not found
SYMSRV: http://msdl.microsoft.com/download/symbols/uxtheme.pdb/0783E240E97C4C77AEF70C39FB0120212/uxtheme.pdb
not found
DBGHELP: C:\WINDOWS\system32\uxtheme.pdb - file not found
DBGHELP: uxtheme.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\uxtheme.dll -
DBGHELP: uxtheme - export symbols
.
DBGHELP: MPR - public symbols
E:\windbg\symbols\mpr.pdb\637FC2DC1D0A490799B088562BF4F29A2\mpr.pdb
.
SYMSRV: E:\windbg\symbols\riched20.pdb\4CEEB22B2E9046E396D2914386EC32FE2\riched20.pdb
not found
SYMSRV: http://msdl.microsoft.com/download/symbols/riched20.pdb/4CEEB22B2E9046E396D2914386EC32FE2/riched20.pdb
not found
DBGHELP: C:\WINDOWS\system32\riched20.pdb - file not found
DBGHELP: riched20.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\RICHED20.DLL -
DBGHELP: RICHED20 - export symbols

.
DBGHELP: COMCTL32 - public symbols
E:\windbg\symbols\MicrosoftWindowsCommon-Controls-6.0.2600.2649-comctl32.pdb\2B513596D26140119D18EE30C6ECFA7C1\MicrosoftWindowsCommon-Controls-6.0.2600.2649-comctl32.pdb
.
DBGHELP: ole32 - public symbols
E:\windbg\symbols\ole32.pdb\49AF042E8EC54047B6159C917F0DE6B42\ole32.pdb
.
DBGHELP: VERSION - public symbols
E:\windbg\symbols\version.pdb\180A90C40384463E82DDC45B2C8AB76E2\version.pdb
.
DBGHELP: msvcrt - public symbols
E:\windbg\symbols\msvcrt.pdb\A678F3C30DED426B839032B996987E381\msvcrt.pdb
.
DBGHELP: USER32 - public symbols
E:\windbg\symbols\user32.pdb\74C71F15BFB54CEEBE900B2414AAA9BC2\user32.pdb
.
DBGHELP: ADVAPI32 - public symbols
E:\windbg\symbols\advapi32.pdb\455D6C5F184D45BBB5C5F30F829751142\advapi32.pdb
.
DBGHELP: RPCRT4 - public symbols
E:\windbg\symbols\rpcrt4.pdb\0254FE7EA00E44CBBF6D3DEF80A00C0B2\rpcrt4.pdb
.
DBGHELP: GDI32 - public symbols
E:\windbg\symbols\gdi32.pdb\82BCBB71A552469DBE2C76CA982396262\gdi32.pdb
.
DBGHELP: SHLWAPI - public symbols
E:\windbg\symbols\shlwapi.pdb\C043BA4D7AA14FD5905D2BA51377BE6B2\shlwapi.pdb
.
DBGHELP: kernel32 - public symbols
E:\windbg\symbols\kernel32.pdb\FB334FB28FA34128BDE9229285BE4C2F2\kernel32.pdb
.
DBGHELP: ntdll - public symbols
E:\windbg\symbols\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
.
DBGHELP: SHELL32 - public symbols
E:\windbg\symbols\shell32.pdb\D70458DD285249A9B8199211D73B08352\shell32.pdb

0:001> g

regards

raj_r

On 1/11/08, raj_r wrote:
> sorry for consecutive post
>
> i dont get this
>
> > I don’t imagine that LocalSystem has network rights, so I suppose that
> >is why that would be failing.
>
> is this right different from my ie thats open and answering your queries
>
> i mean i killed explorer started a new explorer and double clicked
> internet explorer icon in desktop opened gmail and im writing this
> mail
>
> so im confused a bit
>
>
>
> raj_r
>
>
>
> On 1/11/08, raj_r wrote:
> > thanks martin ,
> >
> > winobj doesnt let one copy or export (not at first sight atleast
> >
> > so ill write here what it says
> >
> > under global
> >
> > Name G: yes today its g: :slight_smile:
> >
> > type Symbolic link
> >
> > symlink \Device\Harddisk\DP(1)0-0+8
> >
> > under right click properties it shows the same with 2 referances and
> > creation time 15 minutes ago
> >
> >
> >
> >
> >
> >
> >
> > On 1/11/08, Martin O’Brien wrote:
> > > I guess I would run WinObj (sysinternals) and see where ‘e:’ is
> > > appearing - under ‘GLOBAL??’ or under ‘Sessions.…’ If it is appearing
> > > under the later, then I don’t think WinDbg would know about it in your
> > > scenario. I just noticed that you can’t find files on SymServer either.
> > > I don’t imagine that LocalSystem has network rights, so I suppose that
> > > is why that would be failing. If not, my bright ideas come to a rather
> > > abrupt end, and I think that is is going to be very hard to say what
> > > this scenario might do, as I seriously doubt anyone ever tested it
> > > during development.
> > >
> > > Good luck,
> > >
> > > mm
> > >
> > > raj_r wrote:
> > > > e is pendrive (flashdrive ? the stick you stick into usb port and gets
> > > > shown as remaovable storage in My Computer) windbg is installed in it
> > > >
> > > > sure you can ask
> > > >
> > > > i’m looking at some crap in a SeDebugPrivilege less Admin User box
> > > > and im getting SeDebugPrivileges by setting Explorer as System Account
> > > >
> > > > yeah i know i can set Debug Privileges using secpol.msc
> > > >
> > > > but it wont work without reboot (no runas doesn’t work)
> > > >
> > > > so shortcut to dump some part of kernel memory including !process 0 0
> > > >
> > > > any ideas why windbg cant find symbols in this scenerio ?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On 1/11/08, Martin O’Brien wrote:
> > > >> Is ‘e:’ a mapped driver? If so, it probably doesn’t exist from the
> > > >> point of view of LocalSystem.
> > > >>
> > > >> I have to ask, why are you doing this?
> > > >>
> > > >> mm
> > > >>
> > > >>
> > > >>
> > > >> raj_r wrote:
> > > >>> my reliable windbg got mad recently saying it cant find symbols
> > > >>>
> > > >>> here is the error details
> > > >>>
> > > >>> lkd> .reload
> > > >>> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
> > > >>> SYMSRV: e:\windbg\symbolsold\ntoskrnl.pdb\7DEB5F662C1B4675A79BE082B317F5402\ntoskrnl.pdb
> > > >>> not found
> > > >>> SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.pdb/7DEB5F662C1B4675A79BE082B317F5402/ntoskrnl.pdb
> > > >>> not found
> > > >>> DBGHELP: ntoskrnl.pdb - file not found
> > > >>> *** ERROR: Symbol file could not be found. Defaulted to export
> > > >>> symbols for ntoskrnl.exe -
> > > >>> DBGHELP: nt - export symbols
> > > >>> Loading Kernel Symbols
> > > >>> …
> > > >>> Loading User Symbols
> > > >>> …
> > > >>> Loading unloaded module list
> > > >>> …
> > > >>> DBGHELP: ntdll - public symbols
> > > >>> e:\windbg\symbolsold\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
> > > >>> <------------------ can find this if i used .symfix to point it to an
> > > >>> old cache which i renamed as symbols old
> > > >>>
> > > >>>
> > > >>> the only new twist to this windbg setup is the explorer is running in
> > > >>> system account
> > > >>>
> > > >>> are there any known problems for windbg to find locate or download symbols
> > > >>> if im running my explorer.exe in system account ?
> > > >>>
> > > >>> im in system account like this
> > > >>>
> > > >>> at “some future minute” / interractive cmd.exe
> > > >>> taskkill /f /im explorer.exe
> > > >>> explorer.exe
> > > >>> run windbg.bat
> > > >>> which contain
> > > >>>
> > > >>> set _NT_SYMBOL_PATH=srv*%cd%\symbols*http://msdl.microsoft.com/download/symbols
> > > >>> windbg
> > > >>>
> > > >>> windbg fires up fine
> > > >>> i can get lkd to work
> > > >>> but it cant find symbols
> > > >>>
> > > >>> any help pointers flames google tips are welcome
> > > >>>
> > > >>> regards
> > > >>>
> > > >>> raj_r
> > > >>>
> > > >> —
> > > >> You are currently subscribed to windbg as: xxxxx@gmail.com
> > > >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> > > >>
> > > >
> > >
> > > —
> > > You are currently subscribed to windbg as: xxxxx@gmail.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
>

8

> Image Name: EXPLORER.EXE

User Name: NT AUTHORITY\SYSTEM

symsrv simply fails to fetch symbols for any newly loaded module whose
symbols are not present

My guess is that this has something to do with wininet and/or winhttp
configuration. Take a look at this thread:

http://groups.google.com/group/microsoft.public.windbg/browse_frm/thread/9f52257fe9fea2b7/81a6198c1fc9547d?#81a6198c1fc9547d


This posting is provided “AS IS” with no warranties, and confers no
rights.

9

Thank you Pavel Lebedinsky,

that thread was really helpfull so this problem has been there for years now

and we are still awaiting a fix

i was preparing to go down the route skywing already passed through
installed wireshark on pendrive and captured a few packets yesterday
and was going to compare it

“167”,“488.839346”,“192.168.1.3”,“202.54.10.2”,“DNS”,“Standard query A
msdl.microsoft.com

“168”,“489.297761”,“202.54.10.2”,“192.168.1.3”,“DNS”,“Standard query
response CNAME msdl.microsoft.akadns.net A 207.46.212.122”

“180”,“490.206864”,“192.168.1.3”,“207.46.212.122”,“HTTP”,“GET
/download/symbols/uxtheme.pdb/0783E240E97C4C77AEF70C39FB0120212/uxtheme.pdb
HTTP/1.1”

“188”,“490.839361”,“192.168.1.3”,“207.46.212.122”,“HTTP”,“GET
/download/symbols/uxtheme.pdb/0783E240E97C4C77AEF70C39FB0120212/uxtheme.pd_
HTTP/1.1”

“408”,“509.598738”,“192.168.1.3”,“207.46.212.122”,“HTTP”,“GET
/download/symbols/riched20.pdb/4CEEB22B2E9046E396D2914386EC32FE2/riched20.pdb
HTTP/1.1”

“416”,“510.222136”,“192.168.1.3”,“207.46.212.122”,“HTTP”,“GET
/download/symbols/riched20.pdb/4CEEB22B2E9046E396D2914386EC32FE2/riched20.pd_
HTTP/1.1”

0000 00 d0 d0 39 a9 9e 00 13 8f 15 88 d8 08 00 45 00 …9… …E.
0010 00 ff 03 0b 40 00 80 06 91 99 c0 a8 01 03 cf 2e …@… …
0020 d4 7a 04 29 00 50 b2 72 6b 4d 0a f8 b8 ab 50 18 .z.).P.r kM…P.
0030 ff ff d5 78 00 00 47 45 54 20 2f 64 6f 77 6e 6c …x…GE T /downl
0040 6f 61 64 2f 73 79 6d 62 6f 6c 73 2f 75 78 74 68 oad/symb ols/uxth
0050 65 6d 65 2e 70 64 62 2f 30 37 38 33 45 32 34 30 eme.pdb/ 0783E240
0060 45 39 37 43 34 43 37 37 41 45 46 37 30 43 33 39 E97C4C77 AEF70C39
0070 46 42 30 31 32 30 32 31 32 2f 75 78 74 68 65 6d FB012021 2/uxthem
0080 65 2e 70 64 62 20 48 54 54 50 2f 31 2e 31 0d 0a e.pdb HT TP/1.1…
0090 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 User-Age nt: Micr
00a0 6f 73 6f 66 74 2d 53 79 6d 62 6f 6c 2d 53 65 72 osoft-Sy mbol-Ser
00b0 76 65 72 2f 36 2e 38 2e 30 30 30 34 2e 30 0d 0a ver/6.8. 0004.0…
00c0 48 6f 73 74 3a 20 6d 73 64 6c 2e 6d 69 63 72 6f Host: ms dl.micro
00d0 73 6f 66 74 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 soft.com …Connec
00e0 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 tion: Ke ep-Alive
00f0 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a …Cache- Control:
0100 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a no-cach e…

and then was going to disassemble symsrv.dll :slight_smile:

no need to do that since its all already available for me to consume
including a readymade patch

thanks once again pavel

i’ll disassemble fc and patch symsrv.dll

regards

raj_r

On 1/13/08, Pavel Lebedinsky wrote:
> > Image Name: EXPLORER.EXE
> > User Name: NT AUTHORITY\SYSTEM
>
> > symsrv simply fails to fetch symbols for any newly loaded module whose
> > symbols are not present
>
> My guess is that this has something to do with wininet and/or winhttp
> configuration. Take a look at this thread:
>
> http://groups.google.com/group/microsoft.public.windbg/browse_frm/thread/9f52257fe9fea2b7/81a6198c1fc9547d?#81a6198c1fc9547d
>
> –
> This posting is provided “AS IS” with no warranties, and confers no
> rights.
>
>
>
> —
> You are currently subscribed to windbg as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

10

ok for anyone reading this thread and wondering where to patch
symsrv.dll in 6.8.4.0 version here it is in memory

01D13DAA |> C785 D4FDFFFF 6C52D001 MOV DWORD PTR
SS:[EBP-22C],symsrv.01D052>; UNICODE “SymSrvBogusProxy”
01D13DB4 |. C785 D0FDFFFF 9052D001 MOV DWORD PTR
SS:[EBP-230],symsrv.01D052>; UNICODE “”
01D13DBE |> C745 FC 03000000 MOV DWORD PTR SS:[EBP-4],3

or in disk

000131AA MOV DWORD PTR SS:[EBP-22C],1D0526C
000131B4 MOV DWORD PTR SS:[EBP-230],1D05290
000131BE MOV DWORD PTR SS:[EBP-4],3

or the whole sequence as posted by skywing for 6.6.3.5 version of symsrv.dll

is repeated here for version 6.8.4.0

01D13D83 LEA EDX,DWORD PTR SS:[EBP-18]
01D13D86 PUSH EDX ; /Arg1
01D13D87 CALL symsrv.GetProxyConfig ; \GetProxyConfig
01D13D8C TEST EAX,EAX
01D13D8E JE SHORT symsrv.01D13DAA
01D13D90 CMP DWORD PTR SS:[EBP-10],0
01D13D94 JE SHORT symsrv.01D13DAA
01D13D96 MOV EAX,DWORD PTR SS:[EBP-10]
01D13D99 MOV DWORD PTR SS:[EBP-22C],EAX
01D13D9F MOV ECX,DWORD PTR SS:[EBP-C]
01D13DA2 MOV DWORD PTR SS:[EBP-230],ECX
01D13DA8 JMP SHORT symsrv.01D13DBE
01D13DAA MOV DWORD PTR SS:[EBP-22C],symsrv.01D052>; UNICODE “SymSrvBogusProxy”
01D13DB4 MOV DWORD PTR SS:[EBP-230],symsrv.01D052>; UNICODE “”
01D13DBE MOV DWORD PTR SS:[EBP-4],3
01D13DC5 PUSH 0 ; /dwFlags
01D13DC7 MOV EDX,DWORD PTR SS:[EBP-230] ; |
01D13DCD PUSH EDX ; |pwszProxyBypass
01D13DCE MOV EAX,DWORD PTR SS:[EBP-22C] ; |
01D13DD4 PUSH EAX ; |pwszProxyName
01D13DD5 MOV ECX,DWORD PTR SS:[EBP-4] ; |
01D13DD8 PUSH ECX ; |dwAccessType
01D13DD9 PUSH symsrv.01D448C8 ; |pwszUserAgent = “”
01D13DDE CALL DWORD PTR DS:[imp__WinHttpOpen] ; \symsrv.imp__WinHttpOpen
01D13DE4 MOV DWORD PTR DS:[gshint],EAX
01D13DE9 CMP DWORD PTR DS:[gshint],0
01D13DF0 JNZ SHORT symsrv.01D13DF9

ill patch it later and see how it fares and will come back if there are problems

regards

raj_r

On 1/13/08, raj_r wrote:
> Thank you Pavel Lebedinsky,
>
> that thread was really helpfull so this problem has been there for years now
>
> and we are still awaiting a fix
>
> i was preparing to go down the route skywing already passed through
> installed wireshark on pendrive and captured a few packets yesterday
> and was going to compare it
>
> “167”,“488.839346”,“192.168.1.3”,“202.54.10.2”,“DNS”,“Standard query A
> msdl.microsoft.com
>
> “168”,“489.297761”,“202.54.10.2”,“192.168.1.3”,“DNS”,“Standard query
> response CNAME msdl.microsoft.akadns.net A 207.46.212.122”
>
> “180”,“490.206864”,“192.168.1.3”,“207.46.212.122”,“HTTP”,“GET
> /download/symbols/uxtheme.pdb/0783E240E97C4C77AEF70C39FB0120212/uxtheme.pdb
> HTTP/1.1”
>
> “188”,“490.839361”,“192.168.1.3”,“207.46.212.122”,“HTTP”,"GET
> /download/symbols/uxtheme.pdb/0783E240E97C4C77AEF70C39FB0120212/uxtheme.pd
> HTTP/1.1"
>
> “408”,“509.598738”,“192.168.1.3”,“207.46.212.122”,“HTTP”,“GET
> /download/symbols/riched20.pdb/4CEEB22B2E9046E396D2914386EC32FE2/riched20.pdb
> HTTP/1.1”
>
> “416”,“510.222136”,“192.168.1.3”,“207.46.212.122”,“HTTP”,"GET
> /download/symbols/riched20.pdb/4CEEB22B2E9046E396D2914386EC32FE2/riched20.pd
> HTTP/1.1"
>
> 0000 00 d0 d0 39 a9 9e 00 13 8f 15 88 d8 08 00 45 00 …9… …E.
> 0010 00 ff 03 0b 40 00 80 06 91 99 c0 a8 01 03 cf 2e …@… …
> 0020 d4 7a 04 29 00 50 b2 72 6b 4d 0a f8 b8 ab 50 18 .z.).P.r kM…P.
> 0030 ff ff d5 78 00 00 47 45 54 20 2f 64 6f 77 6e 6c …x…GE T /downl
> 0040 6f 61 64 2f 73 79 6d 62 6f 6c 73 2f 75 78 74 68 oad/symb ols/uxth
> 0050 65 6d 65 2e 70 64 62 2f 30 37 38 33 45 32 34 30 eme.pdb/ 0783E240
> 0060 45 39 37 43 34 43 37 37 41 45 46 37 30 43 33 39 E97C4C77 AEF70C39
> 0070 46 42 30 31 32 30 32 31 32 2f 75 78 74 68 65 6d FB012021 2/uxthem
> 0080 65 2e 70 64 62 20 48 54 54 50 2f 31 2e 31 0d 0a e.pdb HT TP/1.1…
> 0090 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 User-Age nt: Micr
> 00a0 6f 73 6f 66 74 2d 53 79 6d 62 6f 6c 2d 53 65 72 osoft-Sy mbol-Ser
> 00b0 76 65 72 2f 36 2e 38 2e 30 30 30 34 2e 30 0d 0a ver/6.8. 0004.0…
> 00c0 48 6f 73 74 3a 20 6d 73 64 6c 2e 6d 69 63 72 6f Host: ms dl.micro
> 00d0 73 6f 66 74 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 soft.com …Connec
> 00e0 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 tion: Ke ep-Alive
> 00f0 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a …Cache- Control:
> 0100 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a no-cach e…
>
>
> and then was going to disassemble symsrv.dll :slight_smile:
>
> no need to do that since its all already available for me to consume
> including a readymade patch
>
> thanks once again pavel
>
> i’ll disassemble fc and patch symsrv.dll
>
> regards
>
> raj_r
>
>
>
>
> On 1/13/08, Pavel Lebedinsky wrote:
> > > Image Name: EXPLORER.EXE
> > > User Name: NT AUTHORITY\SYSTEM
> >
> > > symsrv simply fails to fetch symbols for any newly loaded module whose
> > > symbols are not present
> >
> > My guess is that this has something to do with wininet and/or winhttp
> > configuration. Take a look at this thread:
> >
> > http://groups.google.com/group/microsoft.public.windbg/browse_frm/thread/9f52257fe9fea2b7/81a6198c1fc9547d?#81a6198c1fc9547d
> >
> > –
> > This posting is provided “AS IS” with no warranties, and confers no
> > rights.
> >
> >
> >
> > —
> > You are currently subscribed to windbg as: xxxxx@gmail.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>

11

ok this patch works like charm

G:\windbg>tasklist /fi “imagename eq explorer.exe” /v /fo list

Image Name: explorer.exe
PID: 2924
Session Name: Console
Session#: 0
Mem Usage: 9,204 K
Status: Running
User Name: NT AUTHORITY\SYSTEM
CPU Time: 0:00:06
Window Title: N/A

G:\windbg>fc /b symsrvorig.dll symsrv.dll
Comparing files symsrvorig.dll and SYMSRV.DLL
000131B0: 6C 00
000131B1: 52 00
000131B2: D0 00
000131B3: 01 00
000131BA: 90 00
000131BB: 52 00
000131BC: D0 00
000131BD: 01 00
000131C1: 03 01

G:\windbg>runlkd.bat

G:\windbg>set _NT_SYMBOL_PATH=srv*G:\windbg\symbols*http://msdl.microsoft.com/do
wnload/symbols

G:\windbg>kd -kl

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Symbol search path is: srv*G:\windbg\symbols*http://msdl.microsoft.com/download/
symbols
Executable search path is:
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.050928-1517
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553320
Debug session time: Sun Jan 13 16:56:23.951 2008 (GMT+0)
System Uptime: 0 days 2:47:55.433
lkd> lm
start end module name
804d7000 806cd480 nt (pdb symbols) G:\windbg\symbols\ntkrnlpa
.pdb\CC2DE018A01244D4832AF532340DCAC41\ntkrnlpa.pdb

regards

raj_r