Reload only one symbol in WinDBG - windbg

I'm using the following command in WinDBG to reload all symbols
!sym noisy
.sympath srv*https://msdl.microsoft.com/download/symbols
.reload /f
!sym quiet
How can I reload the symbol of only one DLL? e.g ntdll

As i Commented use the module name along with base and size optionally see below
only ntdll is loaded by default on start at system Breakpoint
0:000> lm
start end module name
00007ff6`ae300000 00007ff6`ae32e000 cdb (deferred)
00007fff`142f0000 00007fff`14a22000 dbgeng (deferred)
00007fff`210c0000 00007fff`212b3000 dbghelp (deferred)
00007fff`36050000 00007fff`360f9000 dbgmodel (deferred)
00007fff`45040000 00007fff`45075000 XmlLite (deferred)
00007fff`533d0000 00007fff`5346e000 msvcp_win (deferred)
00007fff`53470000 00007fff`53496000 bcrypt (deferred)
00007fff`53600000 00007fff`536fa000 ucrtbase (deferred)
00007fff`53700000 00007fff`539a5000 KERNELBASE (deferred)
00007fff`54360000 00007fff`543e1000 bcryptPrimitives (deferred)
00007fff`54450000 00007fff`544ee000 msvcrt (deferred)
00007fff`54570000 00007fff`548a6000 combase (deferred)
00007fff`54d80000 00007fff`54e9f000 RPCRT4 (deferred)
00007fff`55e70000 00007fff`55f22000 KERNEL32 (deferred)
00007fff`56170000 00007fff`56235000 OLEAUT32 (deferred)
00007fff`56340000 00007fff`56530000 ntdll (pdb symbols) f:\symbols\ntdll.pdb\27341C1B9147DD100EC194BFDD47B97A1\ntdll.pdb
loading symbol for a single module viz dbgmodel.dll
0:000> .reload /f dbgmodel.dll
0:000> lm
start end module name
00007ff6`ae300000 00007ff6`ae32e000 cdb (deferred)
00007fff`142f0000 00007fff`14a22000 dbgeng (deferred)
00007fff`210c0000 00007fff`212b3000 dbghelp (deferred)
00007fff`36050000 00007fff`360f9000 dbgmodel (pdb symbols) f:\symbols\dbgmodel.pdb\9A0AE73EBC9949A30EF879B505AF2C761\dbgmodel.pdb
00007fff`45040000 00007fff`45075000 XmlLite (deferred)
00007fff`533d0000 00007fff`5346e000 msvcp_win (deferred)
00007fff`53470000 00007fff`53496000 bcrypt (deferred)
00007fff`53600000 00007fff`536fa000 ucrtbase (deferred)
00007fff`53700000 00007fff`539a5000 KERNELBASE (deferred)
00007fff`54360000 00007fff`543e1000 bcryptPrimitives (deferred)
00007fff`54450000 00007fff`544ee000 msvcrt (deferred)
00007fff`54570000 00007fff`548a6000 combase (deferred)
00007fff`54d80000 00007fff`54e9f000 RPCRT4 (deferred)
00007fff`55e70000 00007fff`55f22000 KERNEL32 (deferred)
00007fff`56170000 00007fff`56235000 OLEAUT32 (deferred)
00007fff`56340000 00007fff`56530000 ntdll (pdb symbols) f:\symbols\ntdll.pdb\27341C1B9147DD100EC194BFDD47B97A1\ntdll.pdb
0:000>

Related

WinDbg display CLR (c#) exceptions using SOS [duplicate]

I have a .NET .86 application. I'm trying to run dumpdomain from cdb but keep getting an error.
There are a lot of questions about this, and I've tried several variations:
C:\Users\d.banks\Documents>cdb DoNothingx86.exe
Microsoft (R) Windows Debugger Version 10.0.17134.12 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: DoNothingx86.exe
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*C:\Symbols\Microsoft
*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*C:\Symbols\Microsoft
*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00000000`002d0000 00000000`002d8000 image00000000`002d0000
ModLoad: 00007ff8`4f790000 00007ff8`4f960000 ntdll.dll
ModLoad: 00000000`77af0000 00000000`77c73000 ntdll.dll
ModLoad: 00000000`6dda0000 00000000`6ddf2000 C:\WINDOWS\System32\wow64.dll
ModLoad: 00000000`6de10000 00000000`6de87000 C:\WINDOWS\System32\wow64win.dll
(3e64.e4c): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ff8`4f862cc0 cc int 3
0:000> .loadby sos.dll mscorwks
Unable to find module 'mscorwks'
0:000> .loadby sos mscorwks
Unable to find module 'mscorwks'
0:000> .loadby C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll mscorwks
Unable to find module 'mscorwks'
0:000> .loadby sos.dll clr
Unable to find module 'clr'
0:000> .loadby sos clr
Unable to find module 'clr'
0:000> .loadby C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll clr
Unable to find module 'clr'
0:000> .load C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll
The call to LoadLibrary(C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll) failed, Win32 error 0n193
"%1 is not a valid Win32 application."
Please check your debugger configuration and/or network access.
0:000> .load C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll clr
The call to LoadLibrary(C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll clr) failed, Win32 error 0n126
"The specified module could not be found."
Please check your debugger configuration and/or network access.
I've tried using the x86 debugger:
Microsoft (R) Windows Debugger Version 10.0.17134.12 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: DoNothingx86.exe
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*C:\Symbols\Microsoft
*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*C:\Symbols\Microsoft
*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00930000 00938000 image00930000
ModLoad: 77af0000 77c73000 ntdll.dll
ModLoad: 77900000 779e0000 WOW64_IMAGE_SECTION
ModLoad: 733c0000 73419000 C:\WINDOWS\SysWOW64\MSCOREE.DLL
ModLoad: 77900000 779e0000 C:\WINDOWS\SysWOW64\KERNEL32.dll
ModLoad: 76a00000 76ba2000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
(1e98.2bb0): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=327c0000 edx=00000000 esi=00f326e8 edi=00bd7000
eip=77b96d5c esp=00cff2e4 ebp=00cff310 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrInitShimEngineDynamic+0x71c:
77b96d5c cc int 3
0:000> .loadby sos.dll mscorwks
Unable to find module 'mscorwks'
0:000> .loadby sos.dll clr
Unable to find module 'clr'
0:000> .loadby sos mscorwks
Unable to find module 'mscorwks'
0:000> .loadby sos clr
Unable to find module 'clr'
From
ModLoad: 00000000`6dda0000 00000000`6ddf2000 C:\WINDOWS\System32\wow64.dll
we can see that it's a 32 bit process, so you need 32 bit SOS. 32 bit SOS only works with 32 bit WinDbg.
For loading extensions, there are 2 commands. One is .loadby, the other is .load. For .loadby use a relative path, for .load use a full path.
For .loadby, there are 5 options:
.loadby sos mscorsvr
.loadby sos mscorwks
.loadby sos clr
.loadby sos coreclr
.loadby sos <somethingelse>
where mscorsvr is really really old (.NET CLR 1, server version), mscorwks is quite old (.NET CLR 1 and 2, but still around) , clr is common today (.NET CLR 4), coreclr might be increasing (UWP and Silverlight) and <somethingelse> is annoying (look at lm and find something that looks similar but has a number attached).
The main issue is that you're trying to load SOS when the .NET runtime is not loaded yet. Wait until .NET is loaded and then the command will work. It's certainly not possible at the initial breakpoint.
Use
sxe ld clr
sxe ld mscorwks
sxe ld coreclr
g
to let the application run until .NET is available

Windbg script: Is there a way to have the currently executed command outputted to the log?

I'm using cdb with a script file to process crashing inputs to a process (I don't collect dumps).
The command line for cdb is as follow:
PS> & "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe" -g -logo K:\_projects\fuzz\out_test.txt -c "`$`$><K:\_projects\fuzz\crash_info_script.wsc" "K:\_projects\fuzz\bin\simpleTest.exe" -f "K:\_projects\fuzz\corpus\crashes\test_00000000.bin"
The script file (crash_info_script.wsc in the above command line) passed to cdb is simple, as I just want basic info:
!analyze -v; .exr -1; lm; k; lmDvmsimpleTest; qq
The problem is that the commands themselves are not in the output log. For example, in the latter I have (output of .exr -1 and lm):
ExceptionAddress: 00007ffe75721f3e (simpleTest!foo+0x0000000000290f7e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000001a435a25000
Attempt to read from address 000001a435a25000
start end module name
00007ff6`df020000 00007ff6`df07d000 simpleTest C (export symbols) K:\_projects\fuzz2\bin\simpleTest.exe
00007ffe`75250000 00007ffe`7686a000 foo (export symbols) K:\_projects\fuzz2\bin\foo.dll
00007ffe`ac530000 00007ffe`ac5ce000 uxtheme (deferred)
00007ffe`aeb10000 00007ffe`aeb41000 cryptnet (deferred)
00007ffe`aeb50000 00007ffe`aeb5a000 VERSION (deferred)
00007ffe`b5230000 00007ffe`b5242000 kernel_appcore (deferred)
00007ffe`b6c50000 00007ffe`b6c5c000 cryptbase (deferred)
00007ffe`b6ce0000 00007ffe`b6d0c000 wldp (deferred)
00007ffe`b6f40000 00007ffe`b6f52000 msasn1 (deferred)
00007ffe`b7100000 00007ffe`b7134000 devobj (deferred)
00007ffe`b74a0000 00007ffe`b75ff000 CRYPT32 (deferred)
...
What I would like:
> .exr -1
ExceptionAddress: 00007ffe75721f3e (simpleTest!foo+0x0000000000290f7e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000001a435a25000
Attempt to read from address 000001a435a25000
> lm
start end module name
00007ff6`df020000 00007ff6`df07d000 simpleTest C (export symbols) K:\_projects\fuzz2\bin\simpleTest.exe
00007ffe`75250000 00007ffe`7686a000 foo (export symbols) K:\_projects\fuzz2\bin\foo.dll
00007ffe`ac530000 00007ffe`ac5ce000 uxtheme (deferred)
00007ffe`aeb10000 00007ffe`aeb41000 cryptnet (deferred)
00007ffe`aeb50000 00007ffe`aeb5a000 VERSION (deferred)
00007ffe`b5230000 00007ffe`b5242000 kernel_appcore (deferred)
00007ffe`b6c50000 00007ffe`b6c5c000 cryptbase (deferred)
00007ffe`b6ce0000 00007ffe`b6d0c000 wldp (deferred)
00007ffe`b6f40000 00007ffe`b6f52000 msasn1 (deferred)
00007ffe`b7100000 00007ffe`b7134000 devobj (deferred)
00007ffe`b74a0000 00007ffe`b75ff000 CRYPT32 (deferred)
...
I could use .printf after each command but this is quite inconvenient, especially if I change the script.
I dont have a fuzzable executable this is from a dump so i cant be sure if the behaviour you see is because of that.
use -cfr file command instead of -c and try
pre dir contents
D:\niet>ls -lg
total 153021
-rw-r--r-- 1 197121 156689581 Aug 17 23:49 MEMORY.DMP
-rw-r--r-- 1 197121 22 Sep 17 16:09 foo.wds
D:\niet>file MEMORY.DMP
MEMORY.DMP: MS Windows 64bit crash dump, 4992030524978970960 pages
D:\niet>cat foo.wds
!analyze -v
lm
kb
q
command used
D:\niet>cdb -g -logo foo.txt -cfr foo.wds -z MEMORY.DMP
debugger
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
post dir contents
D:\niet>ls -lg
total 153053
-rw-r--r-- 1 197121 156689581 Aug 17 23:49 MEMORY.DMP
-rw-r--r-- 1 197121 29738 Sep 17 16:19 foo.txt
-rw-r--r-- 1 197121 22 Sep 17 16:09 foo.wds
looking for executed commands
D:\niet>cat foo.txt | grep -i ": kd"
1: kd> !analyze -v
1: kd> lm
1: kd> kb
1: kd> q

NTDLL symbols available but !address does not work

I'm trying to do basic debugging with WinDbg but I'm stuck at the beginning since my environment cannot find the symbols for ntdll and those are essential for the !address command:
0:000> !address
No symbols for ntdll. Cannot continue.
The weird thing is that using lm I can see that the debugger aware of the symbol file! So why it can't use this file? This file was imported using symchk utility so it supposed to be the right symbol file.
Here is the command window output:
0:000> .sympath
Symbol search path is: srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
0:000> lm
start end module name
007b0000 007db000 notepad (no symbols)
71b50000 71d5f000 COMCTL32 (deferred)
747b0000 747ba000 CRYPTBASE (deferred)
747c0000 747e0000 SspiCli (deferred)
747e0000 748ff000 ucrtbase (deferred)
749c0000 74a39000 advapi32 (deferred)
74a40000 74afb000 RPCRT4 (deferred)
74db0000 74fac000 KERNELBASE (pdb symbols) c:\symbols\wkernelbase.pdb\8BC9719D7B1E26272FB1CB98D403792C1\wkernelbase.pdb
75120000 7517f000 bcryptPrimitives (deferred)
75200000 75276000 sechost (deferred)
75330000 75347000 win32u (deferred)
757a0000 7585f000 msvcrt (deferred)
76430000 7658a000 gdi32full (deferred)
76590000 76727000 USER32 (deferred)
76730000 767ac000 msvcp_win (deferred)
768c0000 769a0000 KERNEL32 (deferred)
76aa0000 76b24000 shcore (deferred)
76c50000 76ec6000 combase (deferred)
76fb0000 76fd1000 GDI32 (deferred)
76ff0000 7718a000 ntdll (pdb symbols) c:\symbols\wntdll.pdb\D85FCE08D56038E2C69B69F29E11B5EE1\wntdll.pdb
You can see that the location of the symbol file is identified (lm command output) But it claims no symbol are found.
More interesting, WinDbg can show me the symbols of functions inside ntdll binary:
0:000> x ntdll!*Virtual*
76ff44c0 ntdll!RtlpQueryReadVirtualMemory (void)
76f9bcc7 ntdll!RtlpSecMemFreeVirtualMemory (void)
76fb2df0 ntdll!NtLockVirtualMemory (<no parameter info>)
76fb1fa0 ntdll!ZwQueryVirtualMemory (<no parameter info>)
76fb2bd0 ntdll!NtFlushVirtualMemory (<no parameter info>)
76fb36f0 ntdll!ZwSetInformationVirtualMemory (<no parameter info>)
...
But still, whenever I try to use the !address command I have the same error.

Windbg symbol error

I'm attempting to debug an application using WinDbg. The server doesn't have internet access, so I can't use the Microsoft Symbol server. I went ahead and downloaded the symbols for Server 2012 R2 Retail. Moved them over to the server, and installed to C:\Symbols.
When I attempt to run the debugger, I get the following output.
CommandLine: C:\actionsync\ActionSync\ActionSync.exe
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: .sympath srv*c:\symbols*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred .sympath srv*c:\Symbols*
DBGHELP: Symbol Search Path: .sympath srv*c:\symbols*
DBGHELP: Symbol Search Path: .sympath srv*c:\symbols*
Symbol search path is: .sympath srv*c:\Symbols*
Executable search path is: srv*
DBGHELP: SharedUserData - virtual symbol module
ModLoad: 00ec0000 00ecc000 ActionSync.exe
ModLoad: 77120000 7728f000 ntdll.dll
ModLoad: 6fc30000 6fc86000 C:\Windows\SysWOW64\MSCOREE.DLL
ModLoad: 74de0000 74f20000 C:\Windows\SysWOW64\KERNEL32.dll
ModLoad: 74f20000 74ff7000 C:\Windows\SysWOW64\KERNELBASE.dll
(1054.478): Break instruction exception - code 80000003 (first chance)
DBGHELP: Invalid path: '.sympath srv*c:\symbols*'
DBGHELP: C:\Windows\SYSTEM32\wntdll.pdb - file not found
DBGHELP: wntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
DBGHELP: ntdll - export symbols
eax=00000000 ebx=00000000 ecx=7fdc0000 edx=00000000 esi=7ee16000 edi=00000000
eip=771d3c7d esp=0104f2f4 ebp=0104f320 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrInitShimEngineDynamic+0x6dd:
771d3c7d cc int 3
I am completely new to using WinDbg. Additionally, I cannot install VS on this machine.
As far as I know, I have everything setup correctly, but I'm still not able to debug this application.
Any help would be appreciated.
EDIT 1:
I updated the symbol path based on Thomas Weller's Comment
Here is the output
0:000> .sympath
Symbol search path is: .sympath srv*c:\Symbols*
Expanded Symbol search path is: .sympath srv*c:\symbols*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred .sympath srv*c:\Symbols*
Error: Change all symbol paths attempts to access '.sympath c:\symbols' failed: 0x7b - The filename, directory name, or volume label syntax is incorrect.
************* Symbol Path validation summary **************
Response Time (ms) Location
Error 16 .sympath c:\symbols
DBGHELP: Symbol Search Path: .sympath c:\symbols
DBGHELP: Symbol Search Path: .sympath c:\symbols
0:000> .reload
Reloading current modules
.....
DBGHELP: Invalid path: '.sympath c:\symbols'
DBGHELP: C:\Windows\SYSTEM32\wntdll.pdb - file not found
DBGHELP: wntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
DBGHELP: ntdll - export symbols
************* Symbol Loading Error Summary **************
Module name Error
ntdll All symbol search paths were invalid
Please check your symbol search path.
The following location did not respond and were excluded during symbol loading:
.sympath c:\symbols
EDIT 2:
So, it appears that the sympath is case sensitive.
I updated the sympath C:\Symbols
This is the output.
************* Symbol Path validation summary **************
Response Time (ms) Location
OK c:\Symbols
DBGHELP: Symbol Search Path: c:\symbols
DBGHELP: Symbol Search Path: c:\symbols
0:000> .reload
Reloading current modules
.....
DBGHELP: c:\symbols\wntdll.pdb - file not found
DBGHELP: c:\symbols\dll\wntdll.pdb - file not found
DBGHELP: c:\symbols\symbols\dll\wntdll.pdb - file not found
DBGHELP: C:\Windows\SYSTEM32\wntdll.pdb - file not found
DBGHELP: wntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
DBGHELP: ntdll - export symbols
************* Symbol Loading Error Summary **************
Module name Error
ntdll PDB not found : c:\symbols\symbols\dll\wntdll.pdb
Unable to locate the .pdb file in this location
For both solutions, you need a copy of WinDbg (not neccesarily an installation). You find symchk in the WinDbg folder.
Solution for a specific dump / specific debug session
On the machine where you're debugging, create crash dump file with .dump. Skip this step if you already have a crash dump file.
At a command prompt, create a manifest file, i.e. a file that contains information about the symbols to be downloaded
symchk /id <dumpfile>.dmp /om D:\symbols.manifest
/id is for input = dump
/om is for output = manifest
Transfer that manifest file onto a machine with Internet access.
On the Internet machine then run
symchk /im X:\symbols.manifest /s srv*X:\downloadedsymbols\*http://msdl.microsoft.com/download/symbols /od
at the command prompt.
/im is for input = manifest
/od is for output details (like verbose)
Transfer the symbols back to the machine without Internet access. Copy them into a new folder, e.g. c:\downloadedsymbols, not c:\symbols . Don't use an existing symbol path, because the n-tier-layout might not match.
Open the crash dump in WinDbg.
Fix the symbols
.sympath C:\downloadedsymbols
and maybe
.reload /f
Solution for retrieving all symbols of the machine without Internet
Note: this process may take really long, since it may download thousands of symbols
At a command prompt, run
symchk /r /if %windir% /om D:\windir.manifest
/r is for recursive
/if is for input = files
/om is for output = manifest
Transfer that manifest file onto a different machine with Internet access.
On the Internet machine, run
symchk /im X:\windir.manifest /s srv*X:\winsymbols\*http://msdl.microsoft.com/download/symbols /od
/im is for input = manifest
/od is for output details (like verbose)
Transfer the symbols back to the machine without Internet access. Copy them into a new folder, e.g. c:\winsymbols, not c:\symbols . Don't use an existing symbol path, because the n-tier-layout might not match.
Use the symbols with
.sympath C:\winsymbols
.reload

windbg exception in sos.threads on first run

When I load a crash dump in windbg (x64), version 6.3.9600.16384, and load the sos extension for .net, the first time I run the !threads command I get this error:
c0000005 Exception in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.threads debugger extension.
PC: 00007ffa`8fe6c7e3 VA: 00000000`00000000 R/W: 0 Parameter: 00000000`00000000
Subsequent times the command runs fine. Full transcript:
Loading Dump File [C:\Users\celdredge\AppData\Local\Temp\w3wp (2).DMP]
User Mini Dump File with Full Memory: Only application data is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
OK c:\projects\dumps\symbols
Symbol search path is: srv*;c:\projects\dumps\symbols
Executable search path is: srv*
Windows 8 Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
Built by: 6.3.9600.16384 (winblue_rtm.130821-1623)
Machine Name:
Debug session time: Tue Dec 17 23:03:00.000 2013 (UTC - 5:00)
System Uptime: 0 days 9:56:04.777
Process Uptime: 0 days 0:01:41.000
................................................................
................................................................
......................................................
ntdll!NtWaitForSingleObject+0xa:
00007ffa`a1d265ba c3 ret
0:000> .loadby sos clr
0:000> !threads
c0000005 Exception in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.threads debugger extension.
PC: 00007ffa`8fe6c7e3 VA: 00000000`00000000 R/W: 0 Parameter: 00000000`00000000
CLR version:
0:000> lm v mclr
start end module name
00007ffa`84450000 00007ffa`84de8000 clr (pdb symbols) C:\ProgramData\dbg\sym\clr.pdb\252574218A084BE3AFEFF8921ADADB6F2\clr.pdb
Loaded symbol image file: clr.dll
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Image name: clr.dll
Browse all global symbols functions data
Timestamp: Tue Sep 10 02:54:48 2013 (522EC238)
CheckSum: 00994334
ImageSize: 00998000
File version: 4.0.30319.34003
Product version: 4.0.30319.34003
SOS version:
0:000> .chain
Extension DLL search Path:
<snip/>
Extension DLL chain:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SOS.dll: image 4.0.30319.34003, API 1.0.0, built Tue Sep 10 02:44:16 2013
[path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.dll]
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos: image 4.0.30319.34003, API 1.0.0, built Tue Sep 10 02:44:16 2013
[path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.dll]
This seems to be a weird issue caused by saving an explicit workspace which remembers which extensions are loaded. If I .loadby sos clr and save the workspace, next time I open the workspace it will have sos loaded twice. However if I do .load c:\path\to\sos.dll and save the workspace, it only gets loaded once when I reopen it.
In summary, workspaces in windbg are confusing.