Win 7 64 bit symbols not found

WINDBG
1

Hi, I’m stuck with loading symbols in WinDbg for Win 7 64 bit using microsoft symbols server:

lkd> !sym noisy
noisy mode - symbol prompts on
lkd> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: cache*;SRV*http://msdl.microsoft.com/download/symbols
lkd> .reload
Connected to Windows 7 7601 x64 target at (Thu Sep 28 16:33:18.421 2023 (UTC + 2:00)), ptr64 TRUE
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb not found
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols: not available
DBGHELP: ntkrnlmp.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
DBGHELP: nt - export symbols
Loading Kernel Symbols



Loading User Symbols


Loading unloaded module list

SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb not found
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols: not available
DBGHELP: ntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
DBGHELP: ntdll - export symbols

Can you help me ? Thank you.

2

SYMSRV: http://msdl.microsoft.com/download/symbols: not available

That seems like you can’t reach the symbol server at all?

3

That seems like you can’t reach the symbol server at all?

My Win 7 PC is behind a proxy server. However I’m able to open an IE page to the microsoft symbols server URL (viewing their certificates and so on…). IE browser uses system-defined proxy server.

From Windbg I get this error:
SYMSRV: error 0x2f19

I don’t know if it is a networking issue or the symbol server simply does not have the required PDB files.

4

IE browser uses system-defined proxy server.
Sounds like Windbg doesn’t.

I just skimmed it but it looks like this) might help

5

I just skimmed it but it looks like this) might help

I believe SymSrv is actually able to access the symbol server since I am prompted for proxy credentials and I see the certificate exchange.

lkd> !symsrv close
symbol server client has been closed
lkd> !sym prompts
noisy mode - symbol prompts on
lkd> .reload
Connected to Windows 7 7601 x64 target at (Fri Sep 29 11:35:25.294 2023 (UTC + 2:00)), ptr64 TRUE
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb not found
**SYMSRV: WinInet Interface using proxy server: https=192.168.200.4:8080 **http=192.168.200.4:80 ftp=192.168.200.4:80
SYMSRV: error 0x2f19
SYMSRV: error 0x2f19
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/90A825EBE124425398C40A24AD0F9F662/ntkrnlmp.pdb not found
DBGHELP: ntkrnlmp.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
DBGHELP: nt - export symbols
Loading Kernel Symbols



Loading User Symbols


Loading unloaded module list

SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb not found
SYMSRV: error 0x2f19
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntdll.pdb/D7B2123090454025A8BF3FCFD849CF0A2/ntdll.pdb not found
DBGHELP: ntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll -
DBGHELP: ntdll - export symbols

6

Way past my skillset now but I’ll note that

http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/90A825EBE124425398C40A24AD0F9F662/ntkrnlmp.pdb

resolves just fine for me, So I’m saying “networking”.

7

Rod you’re right. I fixed it by manually downloading the pdb symbols files for ntkrnlmp e ntdll from the same PC (using IE behind the proxy).

I don’t know why Symsrv can’t connect to the symbol server behind the proxy…

8

Digging into Cache manger implementation using Windbg lkd, I can’t find some of the Cc kernel variables such as nt!CcVacbs and nt!CcNumberVacbs.

Is that expected ? Thank you.

lkd> .reload
Connected to Windows 7 7601 x64 target at (Mon Oct 2 13:07:06.249 2023 (UTC + 2:00)), ptr64 TRUE
DBGHELP: nt - public symbols
C:\Program Files\Debugging Tools for Windows (x64)\sym\ntkrnlmp.pdb\90A825EBE124425398C40A24AD0F9F662\ntkrnlmp.pdb
Loading Kernel Symbols



Loading User Symbols


Loading unloaded module list

DBGHELP: ntdll - public symbols
C:\Program Files\Debugging Tools for Windows (x64)\sym\ntdll.pdb\D7B2123090454025A8BF3FCFD849CF0A2\ntdll.pdb

lkd> x nt!CcVacbs
lkd> x nt!CcNumberVacbs
lkd> x nt!CcVacbFreeList
fffff800`0288d8b0 nt!CcVacbFreeList = >

9

I’d imagine that they are stripped. I don’t see them for Win11.

Remember Windows is not an open source project…

10

Another point: it seems the command register (r) does not work in local kernel debugging (lkd):

lkd> r eax
^ Bad register error in ‘r eax’
lkd> r rax
^ Bad register error in ‘r rax’

Is that expected ? Thank you.

11

It never worked. The registers are only available when the target is stopped, and local kernel debugging can’t stop the system.