We Keep Coding

WinDbg cannot find symbols for ntdll on MS symbol server

I'm trying to debug executable notepad.exe (from Windows 10 distribution), and symbols ntdll.pdb from Microsoft symbols server are required, but debugger returns an error that they cannot find file specified:
0:000> .reload
Reloading current modules
.................................
SYMSRV: BYINDEX: 0x25
http://msdl.microsoft.com/download/symbols
ntdll.pdb
BC08E2B7EBB349A18DCE18BE9AA6660E1
SYMSRV: HTTPGET: /download/symbols/ntdll.pdb/BC08E2B7EBB349A18DCE18BE9AA6660E1/ntdll.pdb
SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/ntdll.pdb/BC08E2B7EBB349A18DCE18BE9AA6660E1/ntdll.pd_
SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/ntdll.pdb/BC08E2B7EBB349A18DCE18BE9AA6660E1/file.ptr
SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
SYMSRV: C:\ProgramData\dbg\sym\ntdll.pdb\BC08E2B7EBB349A18DCE18BE9AA6660E1\ntdll.pdb - file not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntdll.pdb/BC08E2B7EBB349A18DCE18BE9AA6660E1/ntdll.pdb not found
SYMSRV: C:\ProgramData\dbg\sym\ntdll.pdb\BC08E2B7EBB349A18DCE18BE9AA6660E1\ntdll.pdb not found
DBGHELP: C:\WINDOWS\SYSTEM32\ntdll.pdb - file not found
DBGHELP: ntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
DBGHELP: ntdll - export symbols
************* Symbol Loading Error Summary **************
Module name Error
SharedUserData No error - symbol load deferred
Symbol loading has been deferred because this symbol is not needed
at this time. Use reload /f to force load symbols.
ntdll The system cannot find the file specified : http://msdl.microsoft.com/download/symbols
The SYMSRV client failed to find a file in the UNC store, or there
is an invalid UNC store (an invalid path or the pingme.txt file is
not present in the root directory), or the file is present in the
symbol server exclusion list.
Is it possible that MS server does not contain required symbols?
It is: version 10.0.14393.447 (rs1_release_inmarket.161102-0100)

The NTDLL.PDB (ntdll.pdb\BC08E2B7EBB349A18DCE18BE9AA6660E1\ntdll.pdb) is now online and I was able to get the PDB:
00007ffb`c79c0000 00007ffb`c7b91000 ntdll
(pdb symbols) d:\sym\dl\nt\ntdll.pdb\BC08E2B7EBB349A18DCE18BE9AA6660E1\ntdll.pdb
Loaded symbol image file: ntdll.dll
Image path: C:\Windows\System32\ntdll.dll
Image name: ntdll.dll
Browse all global symbols functions data
Timestamp: Wed Nov 2 11:13:06 2016 (5819BC32)
CheckSum: 001DA569
ImageSize: 001D1000
File version: 10.0.14393.447
Product version: 10.0.14393.447
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntdll.dll
OriginalFilename: ntdll.dll
ProductVersion: 10.0.14393.447
FileVersion: 10.0.14393.447 (rs1_release_inmarket.161102-0100)
FileDescription: NT Layer DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
So try again to load the symbols.

UDK error, how to examine crash dump

I am working on a game in UDK, and sometimes the game crashes when restarting the level or trying to open a new one.
I cannot find the problem trough the log files, they are just displaying a critical error.
Now I am trying to fix it by examining the crash dump, but I do not have a clue how to do this. Does anyone have an idea how I can further investigate the problem? I tried some things that I found online and this is what I have so far.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for UDK.exe -
eax=00000000 ebx=39280070 ecx=0cdc0f10 edx=ffffffff esi=2a193f40 edi=296f96a0
eip=01c2caf3 esp=007cdf84 ebp=2c0132b0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
UDK!GetStackOwnerClass+0x10a73:
01c2caf3 8b10 mov edx,dword ptr [eax] ds:002b:00000000=????????
0:000> !sym noisy
noisy mode - symbol prompts on
0:000> lmvm ntdll
start end module name
77890000 77a10000 ntdll (export symbols) ntdll.dll
Loaded symbol image file: ntdll.dll
Mapped memory image file: C:\Windows\SysWOW64\ntdll.dll
Image path: C:\Windows\SysWOW64\ntdll.dll
Image name: ntdll.dll
Timestamp: Thu Aug 29 03:50:31 2013 (521EA8E7)
CheckSum: 00140982
ImageSize: 00180000
File version: 6.1.7601.18247
Product version: 6.1.7601.18247
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntdll.dll
OriginalFilename: ntdll.dll
ProductVersion: 6.1.7601.18247
FileVersion: 6.1.7601.18247 (win7sp1_gdr.130828-1532)
FileDescription: NT Layer DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.

The most basic analysis in WInDbg is done with
.symfix
.reload
!analyze -v
Since it crashes, there should be an exception somewhere. Try
.ecxr
.exr -1
Also the call stack is potentially interesting. Since this is about UDK (Unreal Engine Development Kit), I assume it's written in C++ and thus we need a native call stack
k

windbg exception in sos.threads on first run

When I load a crash dump in windbg (x64), version 6.3.9600.16384, and load the sos extension for .net, the first time I run the !threads command I get this error:
c0000005 Exception in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.threads debugger extension.
PC: 00007ffa`8fe6c7e3 VA: 00000000`00000000 R/W: 0 Parameter: 00000000`00000000
Subsequent times the command runs fine. Full transcript:
Loading Dump File [C:\Users\celdredge\AppData\Local\Temp\w3wp (2).DMP]
User Mini Dump File with Full Memory: Only application data is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
OK c:\projects\dumps\symbols
Symbol search path is: srv*;c:\projects\dumps\symbols
Executable search path is: srv*
Windows 8 Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
Built by: 6.3.9600.16384 (winblue_rtm.130821-1623)
Machine Name:
Debug session time: Tue Dec 17 23:03:00.000 2013 (UTC - 5:00)
System Uptime: 0 days 9:56:04.777
Process Uptime: 0 days 0:01:41.000
................................................................
................................................................
......................................................
ntdll!NtWaitForSingleObject+0xa:
00007ffa`a1d265ba c3 ret
0:000> .loadby sos clr
0:000> !threads
c0000005 Exception in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.threads debugger extension.
PC: 00007ffa`8fe6c7e3 VA: 00000000`00000000 R/W: 0 Parameter: 00000000`00000000
CLR version:
0:000> lm v mclr
start end module name
00007ffa`84450000 00007ffa`84de8000 clr (pdb symbols) C:\ProgramData\dbg\sym\clr.pdb\252574218A084BE3AFEFF8921ADADB6F2\clr.pdb
Loaded symbol image file: clr.dll
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Image name: clr.dll
Browse all global symbols functions data
Timestamp: Tue Sep 10 02:54:48 2013 (522EC238)
CheckSum: 00994334
ImageSize: 00998000
File version: 4.0.30319.34003
Product version: 4.0.30319.34003
SOS version:
0:000> .chain
Extension DLL search Path:
<snip/>
Extension DLL chain:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SOS.dll: image 4.0.30319.34003, API 1.0.0, built Tue Sep 10 02:44:16 2013
[path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.dll]
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos: image 4.0.30319.34003, API 1.0.0, built Tue Sep 10 02:44:16 2013
[path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.dll]

This seems to be a weird issue caused by saving an explicit workspace which remembers which extensions are loaded. If I .loadby sos clr and save the workspace, next time I open the workspace it will have sos loaded twice. However if I do .load c:\path\to\sos.dll and save the workspace, it only gets loaded once when I reopen it.
In summary, workspaces in windbg are confusing.

How do I make windbg load clr.dll from a custom location?

I am starting windbg using the following command line:
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64>windbg -i c:\tmp\Psscor4\amd64;c:\tmp\Psscor4\x86;c:\tmp;srv*E:\symbols*http://msdl.microsoft.com/download/symbols
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64>
Then I load a memory crash dump and inspect where did it load the clr.dll from:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\tmp\Memory.dmp]
User Mini Dump File with Full Memory: Only application data is available
Comment: 'Dump created by DbgHost. First chance exception 0XE0434352'
Symbol search path is: c:\tmp\Psscor4\amd64;c:\tmp\Psscor4\x86;c:\tmp;srv*E:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\tmp\Psscor4\amd64;c:\tmp\Psscor4\x86;c:\tmp;srv*E:\symbols*http://msdl.microsoft.com/download/symbols
Windows 7 Version 7601 (Service Pack 1) MP (16 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 6.1.7601.17965 (win7sp1_gdr.121004-0333)
Machine Name:
Debug session time: Mon Oct 14 13:45:55.000 2013 (UTC - 4:00)
System Uptime: not available
Process Uptime: 0 days 2:49:12.000
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
............................................................
Loading unloaded module list
..
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(5768.5db4): CLR exception - code e0434352 (first/second chance not available)
KERNELBASE!RaiseException+0x39:
000007fe`fd33bccd 0000 add byte ptr [rax],al ds:00000000`3af07bb2=00
0:122> lm vm clr
start end module name
000007fe`f9a70000 000007fe`fa3ce000 clr (deferred)
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Image name: clr.dll
Timestamp: Mon Jul 09 00:10:25 2012 (4FFA59B1)
CheckSum: 00959DDE
ImageSize: 0095E000
File version: 4.0.30319.17929
Product version: 4.0.30319.17929
File flags: 8 (Mask 3F) Private
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:122> ld clr
Symbols loaded for clr
0:122> lm vm clr
start end module name
000007fe`f9a70000 000007fe`fa3ce000 clr (pdb symbols) e:\symbols\clr.pdb\D3D86782AEDD446F917F5D81FDFD3D252\clr.pdb
Loaded symbol image file: clr.dll
Mapped memory image file: c:\tmp\clr.dll
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Image name: clr.dll
Timestamp: Mon Jul 09 00:10:25 2012 (4FFA59B1)
CheckSum: 00959DDE
ImageSize: 0095E000
File version: 4.0.30319.17929
Product version: 4.0.30319.17929
File flags: 8 (Mask 3F) Private
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:122> .exepath
Executable image search path is: c:\tmp\Psscor4\amd64;c:\tmp\Psscor4\x86;c:\tmp;srv*E:\symbols*http://msdl.microsoft.com/download/symbols
Expanded Executable image search path is: c:\tmp\psscor4\amd64;c:\tmp\psscor4\x86;c:\tmp;srv*e:\symbols*http://msdl.microsoft.com/download/symbols
So, my question is why does windbg insist on loading clr.dll from C:\Windows\Microsoft.NET\Framework64\v4.0.30319 when both the image path and the symbol path direct to another location where sits the clr.dll that I truly need - c:\tmp?
Now, when I force loading of the symbols, then we can see this:
Loaded symbol image file: clr.dll
Mapped memory image file: c:\tmp\clr.dll
Image path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Image name: clr.dll
I do not like it. I want the image path to come from c:\tmp as well.
How do I do it?

The Image path shows where debugee (the process which were dumped) found the clr.dll.
Like it or not, it's noting you can do about it :-)

Host information from a crash dump file

Is it possible to get information about the host where a dump file was been created e.g., OS version, service pack, .NET framework version etc.

Also the vertarget command displays current version of the Microsoft Windows operating. system

OS version and so forth is listed automatically when you open the dump file.
You can get the .NET framework version using the !eeversion command.
0:000> !eeversion
2.0.50727.4952 free
Workstation mode
SOS Version: 2.0.50727.4952 retail build
To get additional information for loaded modules use the verbose option for lm. E.g.
0:000> lm vm mscoree
start end module name
000007fe`f0f10000 000007fe`f0f7f000 mscoree (deferred)
Image path: C:\Windows\System32\mscoree.dll
Image name: mscoree.dll
Timestamp: Fri Nov 06 06:09:26 2009 (4AF3AF86)
CheckSum: 00072187
ImageSize: 0006F000
File version: 4.0.31106.0
Product version: 4.0.31106.0
File flags: 8 (Mask 3F) Private
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® .NET Framework
InternalName: mscoree.dll
OriginalFilename: mscoree.dll
ProductVersion: 4.0.31106.0
FileVersion: 4.0.31106.0 (Main.031106-0000)
PrivateBuild: DDBLD278
FileDescription: Microsoft .NET Runtime Execution Engine
LegalCopyright: © Microsoft Corporation. All rights reserved.
Comments: Flavor=Retail