Windbg: USER mode dump, windows event is set or not - windbg

I am trying to debug dump, my USER mode STOPPED_PENDING service, just checking whether service stop event "MySvcStopEvent" is Set or Not, I got event handle, tried to dump handle details,
0:002> !handle 0x00000000`00000164 f
Handle 0000000000000164
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 3
PointerCount 785993
Name \BaseNamedObjects\MySvcStopEvent
Object specific information
Not able to figure out whether event set or not?

As Commented Object Specific Information will be displayed only if they are present in the dump
you may have to create the dump using appropriate options to make sure the info you seek is included in the dump
here is a live target display for Handle Type EVENT
0:000> !handle 0 f EVENT
Handle 4
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 32769
Name <none>
Object Specific Information
Event Type Manual Reset
Event is Waiting
Handle c
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Waiting
Handle 3c
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65535
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Set
Handle 40
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65536
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Set
4 handles of type Event
you can use the dumpchk tool that is provided in the windbg package to check the dumps it parses the _MINIDUMP_HEADER and emits statistics of the input dmp file
among which the Number OfStreams or _MINIDUMP_HEADER flags indicate the amount of data that is present in the dump file
the four dump files below are created with
.dump,.dump /f , .dump /h , .dump/ma using windbg on a random process and the relevant signals grepped and posted
F:\>f:\git\usr\bin\ls.exe -lag *.dmp
-rw-r--r-- 1 197121 7979145 Sep 20 13:09 bar.dmp
-rw-r--r-- 1 197121 7989384 Sep 20 13:10 blah.dmp
-rw-r--r-- 1 197121 9180 Sep 20 13:09 foo.dmp
-rw-r--r-- 1 197121 11198 Sep 20 13:10 hand.dmp
F:\>f:\git\usr\bin\ls.exe -lag *.txt
-rw-r--r-- 1 197121 8612 Sep 20 13:12 bar.txt
-rw-r--r-- 1 197121 22447 Sep 20 13:12 blah.txt
-rw-r--r-- 1 197121 13912 Sep 20 13:11 foo.txt
-rw-r--r-- 1 197121 15458 Sep 20 13:12 hand.txt
F:\>f:\git\usr\bin\grep.exe -ir "Loading.*Dump.*File" -A 1 *.txt
bar.txt:Loading Dump File [F:\bar.dmp]
bar.txt-User Dump File: Only application data is available
--
blah.txt:Loading Dump File [F:\blah.dmp]
blah.txt-User Mini Dump File with Full Memory: Only application data is available
--
foo.txt:Loading Dump File [F:\foo.dmp]
foo.txt-User Mini Dump File: Only registers, stack and portions of memory are available
--
hand.txt:Loading Dump File [F:\hand.dmp]
hand.txt-User Mini Dump File: Only registers, stack and portions of memory are available
F:\>f:\git\usr\bin\grep.exe -ir "Number.*of.*Streams" -A 1 *.txt
blah.txt:NumberOfStreams 17
blah.txt-Flags 641826
--
foo.txt:NumberOfStreams 13
foo.txt-Flags 40000
--
hand.txt:NumberOfStreams 15
hand.txt-Flags 40004
regarding the last comment
I based that answer on this quote from the documentation and it worked for me a few times when I needed it but the answer wasn't validated by the op and was commented to be superfluous.
the quote from documentation in Remarks Section
However, you cannot use this extension on user-mode dump files, unless you specifically created them with handle information. (You can create such dump files by using the .dump /mh (Create Dump File) command.)
Curiosity always kills the cat EDIT
created 3 dumps using sysinternals procdump on a win10 64 bit machine
using 64 bit debuggee.
loaded them all in windbg to look for Handle type Event
all of them have handle data and all of them have object specific information.
so obviously this is a coin toss problem or probably a 64 bit 32 bit weird corner case issue maybe
no conclusive evidence for pro or con could be derived
f:\src\wait>f:\sysint\procdump.exe -mm wait.exe waitmm.dmp
f:\src\wait>f:\sysint\procdump.exe -ma wait.exe waitma.dmp
f:\src\wait>f:\sysint\procdump.exe -mc ffffffff wait.exe waitmc.dmp
f:\src\wait>f:\git\usr\bin\ls -lag *.dmp
-rw-r--r-- 1 197121 7003583 Sep 23 17:47 waitma.dmp
-rw-r--r-- 1 197121 124387 Sep 23 17:47 waitmc.dmp
-rw-r--r-- 1 197121 124369 Sep 23 17:47 waitmm.dmp
f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitmc.dmp
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object specific information
Event Type Manual Reset
Event is Set
Handle 0000000000000008
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65538
Name <none>
Object specific information
Event Type Auto Reset
Event is Waiting
4 handles of type Event
quit:
f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitma.dmp
0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object specific information
Event Type Manual Reset
Event is Set
Handle 0000000000000008
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65538
Name <none>
Object specific information
Event Type Auto Reset
Event is Waiting
4 handles of type Event
quit:
f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitmm.dmp
0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object specific information
Event Type Manual Reset
Event is Set
Handle 0000000000000008
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65538
Name <none>
Object specific information
Event Type Auto Reset
Event is Waiting
4 handles of type Event
quit:

Related

How to pull partition value from HDFS path using sed/grep/awk when partition value is dynamic

I am trying to save partition value from hdfs path to a file for different tables
Tried using sed to pull last 8 digits but since partition value changes (sometimes it may be YYYYMMDD sometimes YYYYMM) trying to see if we can grep data_dt from hdfs path instead of using sed.
Code used
hadoop fs -ls <hdfs_path> | sort -k6,7 | tail -2 > partition_info.txt
partitions=$(sed -e 's,.*\(.\{8\}\)$,\1,' partition_info.txt)
echo $partitions > partition_tables.txt
Desired Output example
20200531
202005
202004
20200601
Hadoop fs -ls output looks like this
drwxr-xr-x - kmedgel kmedgego 0 2020-05-30 09:33 /km/gold/edge_gold/otsd_cmpl/data_dt=20200530
drwxr-xr-x - kmedgel kmedgego 0 2020-05-31 09:33 /km/gold/edge_gold/otsd_cmpl/data_dt=20200531
drwxr-xr-x - kmedgel kmedgego 0 2020-06-01 09:34 /km/gold/edge_gold/otsd_cmpl/data_dt=20200601
drwxr-xr-x - kmedgel kmedgego 0 2020-06-02 09:34 /km/gold/edge_gold/otsd_cmpl/data_dt=20200602
drwxr-xr-x - kmedgel kmedgego 0 2020-06-03 09:55 /km/gold/edge_gold/otsd_cmpl/data_dt=20200603
Used while loop saying notNeed for the whole statement except for the field we are looking for i.e data_dt
Answer
while IFS="=" read -r notNeed data_dt
do
{
echo $data_dt
}
done

How can I remove COM ports by command line (w/o installing)

The setup: An automated test station, built around a Windows 7 PC. The UUT (Unit Under Test) are connected and disconnected often, creating many COM ports.
The Problem: The test is searching for the device at a specific COM port, requiring the user to manually remove the "ghost" com ports.
The question: Since the software is used by several test stations in parallel, at a production floor, I cannot install additional software (e.g. Devcon, part of Windows SDK). Is there a command line option to remove the COM ports?
Based on This blog entry
The only thing that actually worked for me is not the intended solution... But it fit the case at hand:
Created a batch file at C:\windows\system32
The content:
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\COM Name Arbiter" /v ComDB /t REG_BINARY /d 0206 /f
The actual value of the registry key (0206 in my example) can either be read from that key (use regedit) or calculated from binary:
com8 com7 com6 com5 com4 com3 com2 com1 com16 com15 com14 com13 com12 com11 com10 com9
0 0 0 0 0 0 1 1 0 0 0 0 0 1 1 0
since I wished to keep com1, com2, com10 and com11 - 0000 0011 0000 0110 - which stand for 0206
executing this batch file will remove the unnecessary comports while leaving the one's I intended
*The batch should be at system32 to be executed as elevated (administrator)
*for more details refer to this PDF

Getting CPU cycles from user mode dump

Process Explorer has columns for CPU time (down to milliseconds) and CPU Cycles. For WinDbg I am aware of the !runaway command, also !runaway 7 for more details, but it shows CPU time only.
Are the CPU cycles also available somehow in a user mode crash dump?
What I have tried:
I looked at dt nt!_KTHREAD and I see it has a CycleTime property
ntdll!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x018 CycleTime : Uint8B
I tried to query that property in a !for_each_thread, but WinDbg responds that it's available in kernel mode only.
Why do I want those CPU cycles?
I am working on a training for JetBrains dotTrace. It has an option to count CPU cycles and I'd like to explain where this cycles come from. Above kernel structure and Process Explorer is probably enough, but it would be awesome to see it live or post mortem in a user mode dump. I explain a lot of basics with WinDbg.
Following the implementation of GetProcessTimes() in ReactOS, you can see that the information is copied from the process' KPROCESS. So, indeed, it's only physically present in a dump that includes kernel memory.
C:\tw>ls -l
total 0
C:\tw>cdb -c ".dump /ma .\tw.dmp;q" calc.exe | grep writ
Dump successfully written
C:\tw>cdb -c "lm;!peb;.dump /ma .\tw1.dmp;q" calc.exe | grep writ
Dump successfully written
C:\tw>cdb -c ".ttime;q" -z tw.dmp | grep -B 3 quit
Created: Wed Apr 5 20:03:55.919 2017 ()
Kernel: 0 days 0:00:00.046
User: 0 days 0:00:00.000
quit:
C:\tw>cdb -c ".ttime;q" -z tw1.dmp | grep -B 3 quit
Created: Wed Apr 5 20:04:28.682 2017 ()
Kernel: 0 days 0:00:00.031
User: 0 days 0:00:00.000
quit:
C:\tw>

How to retain the file attributes uid and gid when copy the file from remote using Net::SFTP::Foreign module?

I am using Net::SFTP::Foreign module to copy the files from remote to some source machine and after copy operation, able to retain the file creation time and permissions except the gid and uid.
After copy operation I have below attributes:
root#system # ls -n
/dest/files -rw-r--r-- 1 0 0 4424 Jun 10 04:45 /dest/files/file.txt
While at source the attributes are:
root#source # ls -n
/source/files -rw-r--r-- 1 1001 1002 4424 Jun 10 04:45 /source/files/file.txt
I used below code for SFTP operation:
my $sftp = Net::SFTP::Foreign->new(
host => $host
);
$sftp->get( $file, $dest, copy_perm => 1)
I have not found any option in documentation of Net::SFTP::Foreign for retaining the uid and gid.
Is anybody has any idea?

Sort files in dired by full path

I am using find-name-dired to find multiple instances of files that all have the same name (call it foo.txt) but in different directories. I want the files listed by alphabetical order of file path. However, they're listed in what looks like a random order. Neither dired-sort-menu nor dired-sort-chiesa will sort the output of find-name-dired, even though it will work on other dired buffers (whose format looks very similar). If I write the contents of the dired buffer to a file, I'm able to open a shell and submit the file to a sort command in the shell that uses the 9th field (the path) as a key. This produces output that looks right, but of course it's no longer a dired buffer.
Is there a way that I can
read in that externally sorted file and open it in dired "mode" (analogous to compilation mode),
sort the output of find-name-dired while still in dired mode, or
produce output from find-name-dired that's sorted the way I want from the beginning?
UPDATE:
Just to make things a bit more concrete, here's the current buffer:
/home/afrankel/Documents/emacs_test/:
find . \( -iname foo.txt \) -exec ls -ld \{\} \;
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 a/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 b/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 d/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 c/z/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 c/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 f/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 e/foo.txt
find finished at Fri Nov 30 17:00:41
Pressing "s" (which would sort most dired buffers) gives the error "Cannot sort this dired buffer".
I want the buffer to look like this:
/home/afrankel/Documents/emacs_test/:
find . \( -iname foo.txt \) -exec ls -ld \{\} \;
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 a/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 b/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 c/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 c/z/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 d/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 e/foo.txt
-rw-r--r-- 1 afrankel users 4 Nov 30 16:59 f/foo.txt
find finished at Fri Nov 30 17:00:41
When you type s in a "normal" Dired buffer, Dired doesn't actually sort the buffer. What it does is to change the value of dired-actual-switches so that it does (or doesn't) contain the -t option ("sort by modification time") and then call revert-buffer which re-runs ls with the new options. This obviously doesn't work in a Dired buffer produced by running find.
What you need to do instead is to arrange to run find with the -s option:
-s Cause find to traverse the file hierarchies in lexicographical
order, i.e., alphabetical order within each directory.
which you can do (for all find-dired commands) by evaluating
(setq find-program "find -s")
Okay, I figured out how to do it using defadvice to automatically change the value of find-ls-option while I'm executing my new wrapper function (find-name-dired-sorted) and then to change it back to its original value.
(defadvice find-name-dired (around find-name-dired-around)
"Advice: Sort output by path name."
(let ((find-ls-option (list "-exec ls -ld {} \\; |sort --key=9")))
ad-do-it))
(defun find-name-dired-sorted (dir pattern)
"Sort the output of find-name-dired by path name."
(interactive
"DFind-name (directory): \nsFind-name (filename wildcard): ")
(ad-activate 'find-name-dired)
(find-name-dired dir pattern)
(ad-deactivate 'find-name-dired))
Here's one way to do it manually via a temporary change to the configuration:
Run M-x customize-group find-dired.
Change the contents of the field "Find Ls Option" . It should initially read "-exec ls -ld {} \;". Append text to make it read "-exec ls -ld {} \; |sort --key=9". (In other words, sort by field 9, which is the full path treated as a single string.)
Set the option for the current session only.
UPDATE: It's better to do use defadvice, as I did in my other (later) answer.