Process description,user and publisher information in dump - windbg

Is there a way to retrieve the process description and publisher from a Windows Kernel crash dump?
I tried !process and !dml_proc. It doesn't show that information.

Description sould be get from exe module.
Example:
0: kd> !PROCESS fffffa800482f940 2
GetPointerFromAddress: unable to read from fffff80397f65000
PROCESS fffffa800482f940
SessionId: 1 Cid: 0e3c Peb: 7f7cfefa000 ParentCid: 04bc
DirBase: 26bcc000 ObjectTable: fffff8a0028f4e80 HandleCount: <Data Not Accessible>
Image: Taskmgr.exe
0: kd> .process /p fffffa800482f940
Implicit process is now fffffa80`0482f940
0: kd> .reload /user
Loading User Symbols
..........................................................
0: kd> lmvm Taskmgr
Browse full module list
start end module name
000007f7`d08c0000 000007f7`d09da000 taskmgr (deferred)
Image path: C:\Windows\system32\taskmgr.exe
Image name: taskmgr.exe
Browse all global symbols functions data
Timestamp: Thu Jul 26 02:07:18 2012 (50107C26)
CheckSum: 00119B41
ImageSize: 0011A000
File version: 6.2.9200.16384
Product version: 6.2.9200.16384
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: Taskmgr.exe
OriginalFilename: Taskmgr.exe
ProductVersion: 6.2.9200.16384
FileVersion: 6.2.9200.16384 (win8_rtm.120725-1247)
FileDescription: Task Manager
LegalCopyright: © Microsoft Corporation. All rights reserved.

i was trying to edit and post clarification to pykd-teams answer but the edit turned out ot be substantial so posted this as an answer
FileDescription from lmvm output refers to description column in Task manager Details tab
Company Name Refers refers to publisher column in startup tab
C:\Windows\system32>wmic Startup where Caption="vmware user process" get /format:list
Caption=VMware User Process
Command="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
Description=VMware User Process
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name=VMware User Process
SettingID=
User=Public
UserSID=
C:\Windows\system32>reg query hklm\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
VMware User Process REG_SZ "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
you can check by modifiying the FILE_VERSION_INFO in rsrc section of any file that is executed in startup see below an edited publisher in windbg of the same exe as posted above
how to check for validity of the above assertion
open a live kd session
run task manager in target and select a startup
look at details and locate the process name say vmtoolsd.exe
break into kd using ctrl+break
!process 0 0 vmtoolsd.exe
.process /p /r EPROCESS ADDRESS OF vmtoolsd.exe
!dh vmtoolsd find the Data directory SECURITY DIRECTORY and start searching for FILE_VERSION_INFO
loacte the string value of Company Name
use eb Address to edit the Company Name to some random string
execute using g
now execute task manager and you will see the publisher column in startup tab reflecting the random string as publisher
username is not tied to file but to process grab the token
from !process <Eproc> 1 and pass the TOKEN value to !token -n
here is sample script to retrieve user names for each running process
!for_each_process "r $t0=(##c++(((_EPROCESS*) ##Process )->Token.Object)&0xfffffff8);r? $t1=##c++(((_TOKEN*)##(#$t0))->LogonSession->AccountName);r? $t2=##c++(((_EPROCESS *) ##Process )->ImageFileName);.printf \"%mu\t\t\t%ma\\n\",##c++((wchar_t *)#$t1.Buffer),##c++((char*)#$t2)"
should get your results like this
kd> $$>a< getuname4proc.txt
xx-PC$ smss.exe
LOCAL SERVICE svchost.exe
xx taskhost.exe

You can get this information and a lot more by using !ps command from DbgKit.
Note: From a Kernel Memory Dump you can only get User Name. To get User Name, File Description and Company Name you need a Complete Memory Dump.
Copy dbgkit.dll into winext folder (For example: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\winext)
Open a dump file in WinDbg
Run .load dbgkit command
Run !ps command (to view other commands run !dbgkit.help)

Related

Cannot Install Postgresql 14 on my windows server 2019 - post install errors

I have PgAmin 4.6 running with PostgreSQL 12 on my windows 2019 server. I want to install postgreSQL 14. I have tried installing it using the latest EDB .exe file a few times: Each attempt I wind up with a post installation error. I've tried logged in as an administrator. I've adjusted the postgresql folder security privileges to allow 'all application packages', 'all restricted application packages', users in the administrator group and my own user account with full control... and I have even tried adding postgres as a local administrator account and installing from an elevated cmd-prompt. Any way I have sliced it - I continue to get the post-installation error. The installer finishes, but no postgresql 14 service installed, and the only folder in the postgreSQL 14 directory is Data.
What am I missing? What gives? Can I use pgAdmin to create a new postgresql 14 server? How do I initialize a postgreSQL 14 database? Wywould it matter if I already have pdAdmin 4.6 and postgreSQL 12 installed?I'd appreciate a little help. Many thanks!
Log started 01/21/2022 at 18:20:18
Preferred installation mode : qt
Trying to init installer in mode qt
Mode qt successfully initialized
Setting variable whoami from C:\WINDOWS\System32\whoami
Script exit code: 0
Script output:
dn\USER
Script stderr:
Executing C:\WINDOWS\System32\icacls "C:\Users\USER\AppData\Local\Temp/postgresql_installer_631f935164" /inheritance:r
Script exit code: 0
Script output:
processed file: C:\Users\USER\AppData\Local\Temp/postgresql_installer_631f935164
Successfully processed 1 files; Failed processing 0 files
Script stderr:
Executing C:\WINDOWS\System32\icacls "C:\Users\USER\AppData\Local\Temp/postgresql_installer_631f935164" /T /Q /grant "dn\USER:(OI)(CI)F"
Script exit code: 0
Script output:
Successfully processed 1 files; Failed processing 0 files
Script stderr:
Executing C:\WINDOWS\System32\cscript //NoLogo "C:\Users\USER\AppData\Local\Temp\postgresql_installer_631f935164\prerun_checks.vbs"
Script exit code: 0
Script output:
The scripting host appears to be functional.
Script stderr:
[18:20:30] Using branding: PostgreSQL 14
Could not find registry key HKEY_LOCAL_MACHINE\SOFTWARE\PostgreSQL\Installations\postgresql-x64-14 SB_Version. Setting variable sb_version to empty value
Could not find registry key HKEY_LOCAL_MACHINE\SOFTWARE\PostgreSQL\Installations\postgresql-x64-14 pgAdmin_Version. Setting variable pgadmin_version to empty value
Could not find registry key HKEY_LOCAL_MACHINE\SOFTWARE\PostgreSQL\Installations\postgresql-x64-14 Data Directory. Setting variable server_data_dir to empty value
Executing C:\Users\USER\AppData\Local\Temp/postgresql_installer_631f935164/temp_check_comspec.bat
Script exit code: 0
Script output:
Active code page: 1252
Active code page: 1252
"test ok"
Script stderr:
Could not find registry key HKEY_LOCAL_MACHINE\SOFTWARE\PostgreSQL\Installations\postgresql-x64-14 Data Directory. Setting variable iDataDirectory to empty value
Could not find registry key HKEY_LOCAL_MACHINE\SOFTWARE\PostgreSQL\Installations\postgresql-x64-14 Service ID. Setting variable iServiceName to empty value
Could not find registry key HKEY_LOCAL_MACHINE\SOFTWARE\PostgreSQL\Installations\postgresql-x64-14 Service Account. Setting variable iServiceAccount to empty value
Could not find registry key HKEY_LOCAL_MACHINE\SOFTWARE\PostgreSQL\Installations\postgresql-x64-14 Super User. Setting variable iSuperuser to empty value
Could not find registry key HKEY_LOCAL_MACHINE\SOFTWARE\PostgreSQL\Installations\postgresql-x64-14 DisableStackBuilder. Setting variable iDisableStackBuilder to empty value
[18:20:31] Existing base directory: C:\Program Files\PostgreSQL\14
[18:20:31] Existing data directory:
[18:20:31] Using branding: PostgreSQL 14
[18:20:31] Using Super User: postgres and Service Account: NT AUTHORITY\NetworkService
[18:20:31] Using Service Name: postgresql-x64-14
Executing C:\Users\USER\AppData\Local\Temp\postgresql_installer_631f935164\getlocales.exe
Script exit code: 0
Script output:
EnglishxxCOMMAxxxxSPxxAustralia=English, Australia
EnglishxxCOMMAxxxxSPxxBelize=English, Belize
EnglishxxCOMMAxxxxSPxxCanada=English, Canada
EnglishxxCOMMAxxxxSPxxCaribbean=English, Caribbean
EnglishxxCOMMAxxxxSPxxHongxxSPxxKongxxSPxxSAR=English, Hong Kong SAR
EnglishxxCOMMAxxxxSPxxIndia=English, India
EnglishxxCOMMAxxxxSPxxIndonesia=English, Indonesia
EnglishxxCOMMAxxxxSPxxIreland=English, Ireland
**_TRUNCATED_**
Script stderr:
[18:21:45] Data Directory exists and is empty. Removing it
Preparing to Install
Preparing to Install
Directory already exists: C:\Program Files\PostgreSQL\14\installer
Unpacking files
Unpacking C:\Program Files\PostgreSQL\14\installer\prerun_checks.vbs
Unpacking C:\Program Files\PostgreSQL\14\installer\vcredist_x86.exe
Directory already exists: C:\Program Files\PostgreSQL\14\installer
Unpacking files
Unpacking C:\Program Files\PostgreSQL\14\installer\vcredist_x64.exe
Directory already exists: C:\Program Files\PostgreSQL\14
Directory already exists: C:\Program Files\PostgreSQL\14\..._***TRUNCATED**
Unpacking files
Unpacking C:\Program Files\PostgreSQL\14\bin\pg_regress_ecpg.exe
Unpacking C:\Program Files\PostgreSQL\14\bin\..._***TRUNCATED UNPACK A BOATLOAD OF FILES FOR INSTALLATION***_
Directory already exists: C:\Program Files\PostgreSQL\14
Directory already exists: C:\Program Files\PostgreSQL\14\bin
Directory already exists: C:\Program Files\PostgreSQL\14\lib
Directory already exists: C:\Program Files\PostgreSQL\14\installer
Directory already exists: C:\Program Files\PostgreSQL\14\installer\server
Directory already exists: C:\Program Files\PostgreSQL\14\scripts
Directory already exists: C:\Program Files\PostgreSQL\14\scripts\images
Unpacking files
Unpacking C:\Program Files\PostgreSQL\14\lib\libecpg_compat.dll
...**TRUNCATED***
Unpacking C:\Program Files\PostgreSQL\14\installer\vcredist_x64.exe
Setting variable whoami from C:\WINDOWS\System32\whoami
Script exit code: 0
Script output:
dn\USER
Script stderr:
Executing C:\WINDOWS\System32\icacls "C:\Users\USER\AppData\Local\Temp/postgresql_installer_3f464cf94c" /inheritance:r
Script exit code: 0
Script output:
processed file: C:\Users\USER\AppData\Local\Temp/postgresql_installer_3f464cf94c
Successfully processed 1 files; Failed processing 0 files
Script stderr:
Executing C:\WINDOWS\System32\icacls "C:\Users\USER\AppData\Local\Temp/postgresql_installer_3f464cf94c" /T /Q /grant "dn\USER:(OI)(CI)F"
Script exit code: 0
Script output:
Successfully processed 1 files; Failed processing 0 files
Script stderr:
[18:24:34] Removing the existing ldconfig setting - set during the previous installation.
[18:24:34] Running the post-installation/upgrade actions:
[18:24:34] Write the base directory to the ini file...
[18:24:34] Write the version number to the ini file...
Initialising the database cluster (this may take a few minutes)...
Executing C:\WINDOWS\System32\cscript //NoLogo "C:\Program Files\PostgreSQL\14/installer/server/initcluster.vbs" "NT AUTHORITY\NetworkService" "postgres" "****" "C:\Users\USER\AppData\Local\Temp/postgresql_installer_3f464cf94c" "C:\Program Files\PostgreSQL\14" "D:\pgData14" 5433 "DEFAULT" 0
Script exit code: 1
Script output:
WScript.Shell Initialized...
Scripting.FileSystemObject initialized...
Called CreateDirectory(D:\pgData14)...
Called CreateDirectory(D:\)...
Called ClearAcl (D:\pgData14)...
Executing batch file 'radEA2DE.bat'...
D:\pgData14 DN\USER:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(CI)(S,WD)
BUILTIN\Users:(I)(CI)(S,AD)
BUILTIN\Users:(I)(OI)(CI)(RX)
Successfully processed 1 files; Failed processing 0 files
Removing inherited ACLs on (D:\pgData14)
Executing batch file 'radEA2DE.bat'...
processed file: D:\pgData14
Successfully processed 1 files; Failed processing 0 files
WScript.Network initialized...
strParentOfDataDirD:\
logged in userDN\USER
Called AclCheck(D:\pgData14)
Called IsVistaOrNewer()...
'winmgmts' object initialized...
Version:10.
MajorVersion:10
Executing icacls to ensure the DN\USER account can read the path D:\pgData14
Executing batch file 'radEA2DE.bat'...
processed file: D:\pgData14
Successfully processed 1 files; Failed processing 0 files
Called IsVistaOrNewer()...
'winmgmts' object initialized...
Version:10.
MajorVersion:10
Ensuring we can write to the data directory (using icacls) to DN\USER:
Executing batch file 'radEA2DE.bat'...
processed file: D:\pgData14
Successfully processed 1 files; Failed processing 0 files
Called IsVistaOrNewer()...
'winmgmts' object initialized...
Version:10.
MajorVersion:10
Granting full access to (NT AUTHORITY\NetworkService) on (D:\pgData14)
Executing batch file 'radEA2DE.bat'...
processed file: D:\pgData14
Successfully processed 1 files; Failed processing 0 files
Called IsVistaOrNewer()...
'winmgmts' object initialized...
Version:10.
MajorVersion:10
Granting full access to CREATOR OWNER on (D:\pgData14)
Executing batch file 'radEA2DE.bat'...
processed file: D:\pgData14
Successfully processed 1 files; Failed processing 0 files
Called IsVistaOrNewer()...
'winmgmts' object initialized...
Version:10.
MajorVersion:10
Granting full access to SYSTEM on (D:\pgData14)
Executing batch file 'radEA2DE.bat'...
processed file: D:\pgData14
Successfully processed 1 files; Failed processing 0 files
Called IsVistaOrNewer()...
'winmgmts' object initialized...
Version:10.
MajorVersion:10
Granting full access to Administrators on (D:\pgData14)
Executing batch file 'radEA2DE.bat'...
processed file: D:\pgData14
Successfully processed 1 files; Failed processing 0 files
Executing batch file 'radEA2DE.bat'...
initdb: error: The program "postgres" was found by "C:/Program Files/PostgreSQL/14/bin/initdb.exe"
but was not the same version as initdb.
Check your installation.
Called Die(Failed to initialise the database cluster with initdb)...
Failed to initialise the database cluster with initdb
Script stderr:
Program ended with an error exit code
Error running C:\WINDOWS\System32\cscript //NoLogo "C:\Program Files\PostgreSQL\14/installer/server/initcluster.vbs" "NT AUTHORITY\NetworkService" "postgres" "****" "C:\Users\USER\AppData\Local\Temp/postgresql_installer_3f464cf94c" "C:\Program Files\PostgreSQL\14" "D:\pgData14" 5433 "DEFAULT" 0: Program ended with an error exit code
Problem running post-install step. Installation may not complete correctly
The database cluster initialisation failed.
Setting variable whoami from C:\WINDOWS\System32\whoami
Script exit code: 0
Script output:
dn\USER
Script stderr:
Executing C:\WINDOWS\System32\icacls "C:\Users\USER\AppData\Local\Temp/postgresql_installer_4701618998" /inheritance:r
Script exit code: 0
Script output:
processed file: C:\Users\USER\AppData\Local\Temp/postgresql_installer_4701618998
Successfully processed 1 files; Failed processing 0 files
Script stderr:
Executing C:\WINDOWS\System32\icacls "C:\Users\USER\AppData\Local\Temp/postgresql_installer_4701618998" /T /Q /grant "dn\USER:(OI)(CI)F"
Uninstalling C:\Program Files\PostgreSQL\14\...**__TRUNCATED UNINSTALLED THE BOATLOAD THAT WAS INSTALLED__**
Uninstalling C:/Program Files/PostgreSQL/14/bin...
Skipping C:/Program Files/PostgreSQL/14
Uninstallation completed
Exiting with code 1
There seems to be some conflict between running as an underprivileged user and administrator. You have to run as an underprivileged user to create the database cluster and then an administrator to register the service. To get around this, first run initdb in some other directory, rather than the postgres data directory eg:
\apps\server\postgres\bin\initdb.exe -A md5 -Upostgres -Eutf8 -W -D"data" --no-locale
then you copy the data directory created to the postgres data dir specified in the failed install, and then register the service manually like:
pg_ctl -N postgres -D your_postgres_data_dir
Then you will be able to start/manage the postgres service in windows services as normal.

bash script calling rdiff-backup never ends

I want to run rdiff-backup and then switch of the raspberrypi it was running on.
I use the following script:
#!/bin/sh
date > /home/mik/rdiff-backup.log
echo "rsync start" >> /home/mik/rdiff-backup.log
rdiff-backup -v5 --print-statistics offlinebackup#server::/srv/backup /srv/datenserverBackup/backup >> /home/mik/rdiff-backup.log 2>&1
sync
date >> /home/mik/rdiff-backup.log
echo "rdiff-backup end" >> /home/mik/rdiff-backup.log
df -h >> /home/mik/rdiff-backup.log
sync
halt
The log file looks good (for the rdiff-backup part):
Sat 12 Aug 08:20:59 UTC 2017
rsync start
Unable to import win32security module. Windows ACLs
not supported by filesystem at /srv/backup
escape_dos_devices not required by filesystem at /srv/backup
Warning: name offlinebackup not found on system, dropping ACL entry.
Further ACL entries dropped with this name will not trigger further warnings
Using rdiff-backup version 1.2.8
Executing ssh -C offlinebackup#server rdiff-backup --server
-----------------------------------------------------------------
Detected abilities for source (read only) file system:
Access control lists On
Extended attributes On
Windows access control lists Off
Case sensitivity On
Escape DOS devices Off
Escape trailing spaces Off
Mac OS X style resource forks Off
Mac OS X Finder information Off
-----------------------------------------------------------------
Unable to import win32security module. Windows ACLs
not supported by filesystem at /srv/datenserverBackup/backup/rdiff-backup-data/rdiff-backup.tmp.0
escape_dos_devices not required by filesystem at /srv/datenserverBackup/backup/rdiff-backup-data/rdiff-backup.tmp.0
-----------------------------------------------------------------
Detected abilities for destination (read/write) file system:
Ownership changing On
Hard linking On
fsync() directories On
Directory inc permissions On
High-bit permissions On
Symlink permissions Off
Extended filenames On
Windows reserved filenames Off
Access control lists On
Extended attributes On
Windows access control lists Off
Case sensitivity On
Escape DOS devices Off
Escape trailing spaces Off
Mac OS X style resource forks Off
Mac OS X Finder information Off
-----------------------------------------------------------------
Backup: must_escape_dos_devices = 0
Starting increment operation /srv/backup to /srv/datenserverBackup/backup
Processing changed file .
Incrementing mirror file /srv/datenserverBackup/backup
Processing changed file abc
Incrementing mirror file /srv/datenserverBackup/backup/abc
Processing changed file abc/def
Incrementing mirror file /srv/datenserverBackup/backup/abc/def
Processing changed file abc/def/testfile.dxf
Incrementing mirror file /srv/datenserverBackup/backup/abc/def/testfile.dxf
--------------[ Session statistics ]--------------
StartTime 1502526061.00 (Sat Aug 12 08:21:01 2017)
EndTime 1502527913.72 (Sat Aug 12 08:51:53 2017)
ElapsedTime 1852.72 (30 minutes 52.72 seconds)
SourceFiles 151099
SourceFileSize 386321558216 (360 GB)
MirrorFiles 151097
MirrorFileSize 386321447731 (360 GB)
NewFiles 2
NewFileSize 110485 (108 KB)
DeletedFiles 0
DeletedFileSize 0 (0 bytes)
ChangedFiles 1
ChangedSourceSize 0 (0 bytes)
ChangedMirrorSize 0 (0 bytes)
IncrementFiles 4
IncrementFileSize 0 (0 bytes)
TotalDestinationSizeChange 110485 (108 KB)
Errors 0
--------------------------------------------------
The backup is working, but then the script ends right there.
rdiff-backup.log contains the full report of rdiff-backup. But neither the line "rdiff-backup end", nor the output of "df -h".
How can I make it ran to the end?
Thanks for your answers
I finally found a workaround, that solves my problem.
My sciprt which is called after booting from /etc/init.d is calling the other script which does the actual work (i.e. backup my data, and write the log file) as a background task.
/etc/init.d/CallAfterBoot.sh
#!/bin/sh
sleep 30
/home/me/DoBackup.sh & # '&' starts the script in background
/home/me/DoBackup.sh is the script I posted above which is now runing correctly.
Same script running as the same user now behaves differently. There's got to be some bug somewhere, however, it works for me now.

Which version of sos and clr/mscorwks.dll to load?

I have a 32-bit application (targeting .NET 3.5) hosted on a 64-bit machine. I want to analyze the memory dump of this 32-bit application. I captured the memory dump using 32-bit adplus and cdb. I am loading the memory dump into 32-bit windbg. When I load .net 2.0 sos.dll and .net 2.0 mscorwks.dll into windbg and execute !clrstack, I get the following error: "Failed to find runtime DLL (mscorwks.dll), 0x80004005
Extension commands need mscorwks.dll in order to have something to do." What am I doing wrong?
Info as requested in the comments
ADPlus command line:
adplus -hang -quiet -p 2440 -o C:\temp
WinDbg commands:
0:000> .load <fullpathto>\sos.dll
0:000> lmvm mscorwks
start end module name
0:000> .exr -1
ExceptionAddress: 00000000
ExceptionCode: 80000007 (Wake debugger)
ExceptionFlags: 00000000
NumberParameters: 0
The dump indicates that no .NET 2 was loaded. Otherwise the output of lmvm mscorwks should show the details of the .NET runtime, like this:
0:003> lmvm mscorwks
start end module name
61bc0000 6216e000 mscorwks (deferred)
Image path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
...
File version: 2.0.50727.5485
...
You mentioned that you loaded SOS by full path. If the dump was taken on your machine, you would typically load it using
0:003> .loadby sos mscorwks
In your case, this should already give you the hint that .NET was not loaded:
Unable to find module 'mscorwks'
If you're not so sure about the .NET version, try
.loadby sos clr; *** .NET 4
.loadby sos coreclr; *** Silverlight / Universal Apps
Maybe you had a typo in your AdPlus command line and specified the wrong process ID. If that PID accidentally exists, you got a wrong dump. Use | to check the process name
0:003> |
. 0 id: 1e78 attach name: E:\...\NET2x32.exe
BTW: The -quiet parameter of ADPlus is obsolete, you can omit it.

windbg exception in sos.threads on first run

When I load a crash dump in windbg (x64), version 6.3.9600.16384, and load the sos extension for .net, the first time I run the !threads command I get this error:
c0000005 Exception in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.threads debugger extension.
PC: 00007ffa`8fe6c7e3 VA: 00000000`00000000 R/W: 0 Parameter: 00000000`00000000
Subsequent times the command runs fine. Full transcript:
Loading Dump File [C:\Users\celdredge\AppData\Local\Temp\w3wp (2).DMP]
User Mini Dump File with Full Memory: Only application data is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
OK c:\projects\dumps\symbols
Symbol search path is: srv*;c:\projects\dumps\symbols
Executable search path is: srv*
Windows 8 Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
Built by: 6.3.9600.16384 (winblue_rtm.130821-1623)
Machine Name:
Debug session time: Tue Dec 17 23:03:00.000 2013 (UTC - 5:00)
System Uptime: 0 days 9:56:04.777
Process Uptime: 0 days 0:01:41.000
................................................................
................................................................
......................................................
ntdll!NtWaitForSingleObject+0xa:
00007ffa`a1d265ba c3 ret
0:000> .loadby sos clr
0:000> !threads
c0000005 Exception in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.threads debugger extension.
PC: 00007ffa`8fe6c7e3 VA: 00000000`00000000 R/W: 0 Parameter: 00000000`00000000
CLR version:
0:000> lm v mclr
start end module name
00007ffa`84450000 00007ffa`84de8000 clr (pdb symbols) C:\ProgramData\dbg\sym\clr.pdb\252574218A084BE3AFEFF8921ADADB6F2\clr.pdb
Loaded symbol image file: clr.dll
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Image name: clr.dll
Browse all global symbols functions data
Timestamp: Tue Sep 10 02:54:48 2013 (522EC238)
CheckSum: 00994334
ImageSize: 00998000
File version: 4.0.30319.34003
Product version: 4.0.30319.34003
SOS version:
0:000> .chain
Extension DLL search Path:
<snip/>
Extension DLL chain:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SOS.dll: image 4.0.30319.34003, API 1.0.0, built Tue Sep 10 02:44:16 2013
[path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.dll]
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos: image 4.0.30319.34003, API 1.0.0, built Tue Sep 10 02:44:16 2013
[path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.dll]
This seems to be a weird issue caused by saving an explicit workspace which remembers which extensions are loaded. If I .loadby sos clr and save the workspace, next time I open the workspace it will have sos loaded twice. However if I do .load c:\path\to\sos.dll and save the workspace, it only gets loaded once when I reopen it.
In summary, workspaces in windbg are confusing.

How do I make windbg load clr.dll from a custom location?

I am starting windbg using the following command line:
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64>windbg -i c:\tmp\Psscor4\amd64;c:\tmp\Psscor4\x86;c:\tmp;srv*E:\symbols*http://msdl.microsoft.com/download/symbols
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64>
Then I load a memory crash dump and inspect where did it load the clr.dll from:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\tmp\Memory.dmp]
User Mini Dump File with Full Memory: Only application data is available
Comment: 'Dump created by DbgHost. First chance exception 0XE0434352'
Symbol search path is: c:\tmp\Psscor4\amd64;c:\tmp\Psscor4\x86;c:\tmp;srv*E:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\tmp\Psscor4\amd64;c:\tmp\Psscor4\x86;c:\tmp;srv*E:\symbols*http://msdl.microsoft.com/download/symbols
Windows 7 Version 7601 (Service Pack 1) MP (16 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 6.1.7601.17965 (win7sp1_gdr.121004-0333)
Machine Name:
Debug session time: Mon Oct 14 13:45:55.000 2013 (UTC - 4:00)
System Uptime: not available
Process Uptime: 0 days 2:49:12.000
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
............................................................
Loading unloaded module list
..
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(5768.5db4): CLR exception - code e0434352 (first/second chance not available)
KERNELBASE!RaiseException+0x39:
000007fe`fd33bccd 0000 add byte ptr [rax],al ds:00000000`3af07bb2=00
0:122> lm vm clr
start end module name
000007fe`f9a70000 000007fe`fa3ce000 clr (deferred)
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Image name: clr.dll
Timestamp: Mon Jul 09 00:10:25 2012 (4FFA59B1)
CheckSum: 00959DDE
ImageSize: 0095E000
File version: 4.0.30319.17929
Product version: 4.0.30319.17929
File flags: 8 (Mask 3F) Private
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:122> ld clr
Symbols loaded for clr
0:122> lm vm clr
start end module name
000007fe`f9a70000 000007fe`fa3ce000 clr (pdb symbols) e:\symbols\clr.pdb\D3D86782AEDD446F917F5D81FDFD3D252\clr.pdb
Loaded symbol image file: clr.dll
Mapped memory image file: c:\tmp\clr.dll
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Image name: clr.dll
Timestamp: Mon Jul 09 00:10:25 2012 (4FFA59B1)
CheckSum: 00959DDE
ImageSize: 0095E000
File version: 4.0.30319.17929
Product version: 4.0.30319.17929
File flags: 8 (Mask 3F) Private
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:122> .exepath
Executable image search path is: c:\tmp\Psscor4\amd64;c:\tmp\Psscor4\x86;c:\tmp;srv*E:\symbols*http://msdl.microsoft.com/download/symbols
Expanded Executable image search path is: c:\tmp\psscor4\amd64;c:\tmp\psscor4\x86;c:\tmp;srv*e:\symbols*http://msdl.microsoft.com/download/symbols
So, my question is why does windbg insist on loading clr.dll from C:\Windows\Microsoft.NET\Framework64\v4.0.30319 when both the image path and the symbol path direct to another location where sits the clr.dll that I truly need - c:\tmp?
Now, when I force loading of the symbols, then we can see this:
Loaded symbol image file: clr.dll
Mapped memory image file: c:\tmp\clr.dll
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Image name: clr.dll
I do not like it. I want the image path to come from c:\tmp as well.
How do I do it?
The Image path shows where debugee (the process which were dumped) found the clr.dll.
Like it or not, it's noting you can do about it :-)