Windbg wrong symbols msvcr80 - windbg

I'm investigating a w3wp crash on our production machines, I'm loading the crashdump with windbg with the following settings:
SRV*C:\MicrosoftSymbols*http://msdl.microsoft.com/download/symbols;C:\MySymbols
sym noisy
(also tried symbol path http://msdn.microsoft.com/en-us/windows/hardware/gg463028)
Why can't it still not load the msvcr80 symbols?
0:025> !analyze -v
*
Exception Analysis *
*
DBGHELP: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\w3wp.exe\45D6968E5000\w3wp.exe - OK DBGENG:
C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\w3wp.exe\45D6968E5000\w3wp.exe - Mapped
image memory DBGHELP: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\mscorwks.dll\4889DC18590000\mscorwks.dll -
OK DBGENG: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\mscorwks.dll\4889DC18590000\mscorwks.dll -
Mapped image memory SYMSRV: mscorwks.pdb from
http://msdl.microsoft.com/download/symbols: 4599999 bytes - copied
DBGHELP: mscorwks - public symbols
c:\microsoftsymbols\mscorwks.pdb\37AFE5AF09D54705B6B685CBCD2208FC2\mscorwks.pdb
DBGHELP: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\mscorlib.ni.dll\4889DC80af7000\mscorlib.ni.dll
- mismatched DBGHELP: C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\sym\mscorlib.ni.dll\4889DC80af7000\mscorlib.ni.dll
- mismatched DBGHELP: C:\Program Files (x86)\Windows Kits\8.0\Debuggers\mscorlib.ni.dll - file not found DBGHELP:
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\mscorlib.ni.dll -
file not found SYMSRV: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\mscorlib.ni.dll\4889DC80af7000\mscorlib.ni.dll
- file not found DBGHELP: C:\Program Files (x86)\Windows Kits\8.0\Debuggers\mscorlib.ni.dll - file not found DBGHELP:
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\mscorlib.ni.dll -
file not found SYMSRV:
c:\microsoftsymbols\mscorlib.ni.dll\4889DC80af7000\mscorlib.ni.dll not
found SYMSRV:
http://msdl.microsoft.com/download/symbols/mscorlib.ni.dll/4889DC80af7000/mscorlib.ni.dll
not found DBGHELP: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\mscorlib.ni.dll - file not found DBGHELP:
C:\Program Files (x86)\Windows Kits\8.0\Debuggers\mscorlib.ni.dll -
file not found DBGHELP: mscorlib.ni.dll not found in c:\mysymbols
DBGHELP: mscorlib.ni.dll not found in c:\mysymbols DBGENG:
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\9adb89fa22fd5b4ce433b5aca7fb1b07\mscorlib.ni.dll - Couldn't map image from disk. Unable to load image C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\9adb89fa22fd5b4ce433b5aca7fb1b07\mscorlib.ni.dll,
Win32 error 0n2 DBGENG: mscorlib.ni.dll - Partial symbol image load
missing image info DBGHELP: Module is not fully loaded into memory.
DBGHELP: Searching for symbols using debugger-provided data. SYMSRV:
mscorlib.pdb from http://msdl.microsoft.com/download/symbols: 117111
bytes - copied
* WARNING: Unable to verify timestamp for mscorlib.ni.dll DBGHELP: mscorlib_ni - public symbols
c:\microsoftsymbols\mscorlib.pdb\E47AF49130474776AF6C5994C50088421\mscorlib.pdb
DBGHELP: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\kernel32.dll\49C51F0A102000\kernel32.dll -
OK DBGENG: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\kernel32.dll\49C51F0A102000\kernel32.dll -
Mapped image memory SYMSRV: kernel32.pdb from
http://msdl.microsoft.com/download/symbols: 416879 bytes - copied
DBGHELP: kernel32 - public symbols
c:\microsoftsymbols\kernel32.pdb\BE496DC9472F4438B080C70594D8F9CC2\kernel32.pdb
SYMSRV: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\user32.dll\45E7C67691000\user32.dll not
found SYMSRV: user32.dll from
http://msdl.microsoft.com/download/symbols: 266731 bytes - copied
DBGHELP: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\user32.dll\45E7C67691000\user32.dll already
cached DBGHELP: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\user32.dll\45E7C67691000\user32.dll already
cached DBGHELP: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\user32.dll\45E7C67691000\user32.dll - OK
DBGENG: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\user32.dll\45E7C67691000\user32.dll -
Mapped image memory SYMSRV: user32.pdb from
http://msdl.microsoft.com/download/symbols: 293451 bytes - copied
DBGHELP: user32 - public symbols
c:\microsoftsymbols\user32.pdb\B29B53A483EA4F5DAF2BF0FB1A4E7DB92\user32.pdb
DBGHELP: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\ole32.dll\45D70AA5139000\ole32.dll - OK
DBGENG: C:\Program Files (x86)\Windows
Kits\8.0\Debuggers\x86\sym\ole32.dll\45D70AA5139000\ole32.dll - Mapped
image memory SYMSRV: ole32.pdb from
http://msdl.microsoft.com/download/symbols: 1014574 bytes - copied
DBGHELP: ole32 - public symbols
c:\microsoftsymbols\ole32.pdb\DC8A079CAE0B4A0C89EC5A936EAF1F7F2\ole32.pdb
FAULTING_IP: msvcr80!terminate+4d 781346b4 e820460000 call
msvcr80!_SEH_epilog4 (78138cd9)
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 781346b4 (msvcr80!terminate+0x0000004d)
ExceptionCode: 40000015 ExceptionFlags: 00000000 NumberParameters: 0
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: w3wp.exe
ERROR_CODE: (NTSTATUS) 0x40000015 - {Fatal Application Exit} %hs
EXCEPTION_CODE: (NTSTATUS) 0x40000015 (1073741845) - {Fatal
Application Exit} %hs
APP: w3wp.exe
MANAGED_STACK: !dumpstack -EE No export dumpstack found
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00000000 to 781346b4
STACK_TEXT: 14b98e30 00000000 00000000 00000000 00000000
msvcr80!terminate+0x4d
FOLLOWUP_IP: msvcr80!terminate+4d 781346b4 e820460000 call
msvcr80!_SEH_epilog4 (78138cd9)
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: msvcr80!terminate+4d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msvcr80
IMAGE_NAME: msvcr80.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4889d619
STACK_COMMAND: ~25s; .ecxr ; kb
FAILURE_BUCKET_ID: WRONG_SYMBOLS_40000015_msvcr80.dll!terminate
BUCKET_ID: APPLICATION_FAULT_WRONG_SYMBOLS_msvcr80!terminate+4d
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/w3wp_exe/6_0_3790_3959/45d6968e/msvcr80_dll/8_0_50727_3053/4889d619/40000015/000046b4.htm?Retriage=1
WATSON_IBUCKET: 977211931
WATSON_IBUCKETTABLE: 1
Followup: MachineOwner
Regards,
Michel

Sometimes Windbg need access to .dll file itself to be able to locate the .pdb
(if the actual dump don’t contain enough of the header)
Find the msvcr80.dll from the crashed machine, and locate it by
File->Image File Path, and .reload

Related

Windbg symbol error

I'm attempting to debug an application using WinDbg. The server doesn't have internet access, so I can't use the Microsoft Symbol server. I went ahead and downloaded the symbols for Server 2012 R2 Retail. Moved them over to the server, and installed to C:\Symbols.
When I attempt to run the debugger, I get the following output.
CommandLine: C:\actionsync\ActionSync\ActionSync.exe
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: .sympath srv*c:\symbols*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred .sympath srv*c:\Symbols*
DBGHELP: Symbol Search Path: .sympath srv*c:\symbols*
DBGHELP: Symbol Search Path: .sympath srv*c:\symbols*
Symbol search path is: .sympath srv*c:\Symbols*
Executable search path is: srv*
DBGHELP: SharedUserData - virtual symbol module
ModLoad: 00ec0000 00ecc000 ActionSync.exe
ModLoad: 77120000 7728f000 ntdll.dll
ModLoad: 6fc30000 6fc86000 C:\Windows\SysWOW64\MSCOREE.DLL
ModLoad: 74de0000 74f20000 C:\Windows\SysWOW64\KERNEL32.dll
ModLoad: 74f20000 74ff7000 C:\Windows\SysWOW64\KERNELBASE.dll
(1054.478): Break instruction exception - code 80000003 (first chance)
DBGHELP: Invalid path: '.sympath srv*c:\symbols*'
DBGHELP: C:\Windows\SYSTEM32\wntdll.pdb - file not found
DBGHELP: wntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
DBGHELP: ntdll - export symbols
eax=00000000 ebx=00000000 ecx=7fdc0000 edx=00000000 esi=7ee16000 edi=00000000
eip=771d3c7d esp=0104f2f4 ebp=0104f320 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrInitShimEngineDynamic+0x6dd:
771d3c7d cc int 3
I am completely new to using WinDbg. Additionally, I cannot install VS on this machine.
As far as I know, I have everything setup correctly, but I'm still not able to debug this application.
Any help would be appreciated.
EDIT 1:
I updated the symbol path based on Thomas Weller's Comment
Here is the output
0:000> .sympath
Symbol search path is: .sympath srv*c:\Symbols*
Expanded Symbol search path is: .sympath srv*c:\symbols*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred .sympath srv*c:\Symbols*
Error: Change all symbol paths attempts to access '.sympath c:\symbols' failed: 0x7b - The filename, directory name, or volume label syntax is incorrect.
************* Symbol Path validation summary **************
Response Time (ms) Location
Error 16 .sympath c:\symbols
DBGHELP: Symbol Search Path: .sympath c:\symbols
DBGHELP: Symbol Search Path: .sympath c:\symbols
0:000> .reload
Reloading current modules
.....
DBGHELP: Invalid path: '.sympath c:\symbols'
DBGHELP: C:\Windows\SYSTEM32\wntdll.pdb - file not found
DBGHELP: wntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
DBGHELP: ntdll - export symbols
************* Symbol Loading Error Summary **************
Module name Error
ntdll All symbol search paths were invalid
Please check your symbol search path.
The following location did not respond and were excluded during symbol loading:
.sympath c:\symbols
EDIT 2:
So, it appears that the sympath is case sensitive.
I updated the sympath C:\Symbols
This is the output.
************* Symbol Path validation summary **************
Response Time (ms) Location
OK c:\Symbols
DBGHELP: Symbol Search Path: c:\symbols
DBGHELP: Symbol Search Path: c:\symbols
0:000> .reload
Reloading current modules
.....
DBGHELP: c:\symbols\wntdll.pdb - file not found
DBGHELP: c:\symbols\dll\wntdll.pdb - file not found
DBGHELP: c:\symbols\symbols\dll\wntdll.pdb - file not found
DBGHELP: C:\Windows\SYSTEM32\wntdll.pdb - file not found
DBGHELP: wntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
DBGHELP: ntdll - export symbols
************* Symbol Loading Error Summary **************
Module name Error
ntdll PDB not found : c:\symbols\symbols\dll\wntdll.pdb
Unable to locate the .pdb file in this location
For both solutions, you need a copy of WinDbg (not neccesarily an installation). You find symchk in the WinDbg folder.
Solution for a specific dump / specific debug session
On the machine where you're debugging, create crash dump file with .dump. Skip this step if you already have a crash dump file.
At a command prompt, create a manifest file, i.e. a file that contains information about the symbols to be downloaded
symchk /id <dumpfile>.dmp /om D:\symbols.manifest
/id is for input = dump
/om is for output = manifest
Transfer that manifest file onto a machine with Internet access.
On the Internet machine then run
symchk /im X:\symbols.manifest /s srv*X:\downloadedsymbols\*http://msdl.microsoft.com/download/symbols /od
at the command prompt.
/im is for input = manifest
/od is for output details (like verbose)
Transfer the symbols back to the machine without Internet access. Copy them into a new folder, e.g. c:\downloadedsymbols, not c:\symbols . Don't use an existing symbol path, because the n-tier-layout might not match.
Open the crash dump in WinDbg.
Fix the symbols
.sympath C:\downloadedsymbols
and maybe
.reload /f
Solution for retrieving all symbols of the machine without Internet
Note: this process may take really long, since it may download thousands of symbols
At a command prompt, run
symchk /r /if %windir% /om D:\windir.manifest
/r is for recursive
/if is for input = files
/om is for output = manifest
Transfer that manifest file onto a different machine with Internet access.
On the Internet machine, run
symchk /im X:\windir.manifest /s srv*X:\winsymbols\*http://msdl.microsoft.com/download/symbols /od
/im is for input = manifest
/od is for output details (like verbose)
Transfer the symbols back to the machine without Internet access. Copy them into a new folder, e.g. c:\winsymbols, not c:\symbols . Don't use an existing symbol path, because the n-tier-layout might not match.
Use the symbols with
.sympath C:\winsymbols
.reload

WinDbg cannot find symbols for ntdll on MS symbol server

I'm trying to debug executable notepad.exe (from Windows 10 distribution), and symbols ntdll.pdb from Microsoft symbols server are required, but debugger returns an error that they cannot find file specified:
0:000> .reload
Reloading current modules
.................................
SYMSRV: BYINDEX: 0x25
http://msdl.microsoft.com/download/symbols
ntdll.pdb
BC08E2B7EBB349A18DCE18BE9AA6660E1
SYMSRV: HTTPGET: /download/symbols/ntdll.pdb/BC08E2B7EBB349A18DCE18BE9AA6660E1/ntdll.pdb
SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/ntdll.pdb/BC08E2B7EBB349A18DCE18BE9AA6660E1/ntdll.pd_
SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
SYMSRV: HTTPGET: /download/symbols/ntdll.pdb/BC08E2B7EBB349A18DCE18BE9AA6660E1/file.ptr
SYMSRV: HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
SYMSRV: C:\ProgramData\dbg\sym\ntdll.pdb\BC08E2B7EBB349A18DCE18BE9AA6660E1\ntdll.pdb - file not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntdll.pdb/BC08E2B7EBB349A18DCE18BE9AA6660E1/ntdll.pdb not found
SYMSRV: C:\ProgramData\dbg\sym\ntdll.pdb\BC08E2B7EBB349A18DCE18BE9AA6660E1\ntdll.pdb not found
DBGHELP: C:\WINDOWS\SYSTEM32\ntdll.pdb - file not found
DBGHELP: ntdll.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
DBGHELP: ntdll - export symbols
************* Symbol Loading Error Summary **************
Module name Error
SharedUserData No error - symbol load deferred
Symbol loading has been deferred because this symbol is not needed
at this time. Use reload /f to force load symbols.
ntdll The system cannot find the file specified : http://msdl.microsoft.com/download/symbols
The SYMSRV client failed to find a file in the UNC store, or there
is an invalid UNC store (an invalid path or the pingme.txt file is
not present in the root directory), or the file is present in the
symbol server exclusion list.
Is it possible that MS server does not contain required symbols?
It is: version 10.0.14393.447 (rs1_release_inmarket.161102-0100)
The NTDLL.PDB (ntdll.pdb\BC08E2B7EBB349A18DCE18BE9AA6660E1\ntdll.pdb) is now online and I was able to get the PDB:
00007ffb`c79c0000 00007ffb`c7b91000 ntdll
(pdb symbols) d:\sym\dl\nt\ntdll.pdb\BC08E2B7EBB349A18DCE18BE9AA6660E1\ntdll.pdb
Loaded symbol image file: ntdll.dll
Image path: C:\Windows\System32\ntdll.dll
Image name: ntdll.dll
Browse all global symbols functions data
Timestamp: Wed Nov 2 11:13:06 2016 (5819BC32)
CheckSum: 001DA569
ImageSize: 001D1000
File version: 10.0.14393.447
Product version: 10.0.14393.447
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntdll.dll
OriginalFilename: ntdll.dll
ProductVersion: 10.0.14393.447
FileVersion: 10.0.14393.447 (rs1_release_inmarket.161102-0100)
FileDescription: NT Layer DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
So try again to load the symbols.

Not able to proceed with Windbg analysis of AppCrash_w3wp

I am doing a memory dump analysis for AppCrash_w3wp.
When I do an !analyze -v I get the following result.
Is there any problem in my symbol setup? Or is this analysis pointing to some actual issue? Could somebody please guide me on how to analyze this further?
====:>
*** WARNING: Unable to verify timestamp for webengine4.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for mscorlib.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\987d450520ea6e815c63db8aecba0761\System.Data.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Data.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Mvc\9f9155f1c13562534f6cb370b0ad8381\System.Web.Mvc.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Web.Mvc.ni.dll
*** ERROR: Module load completed but symbols could not be loaded for System.Web.Mvc.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\cb6d38da3ca9a62afed46123b693899e\System.Web.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Web.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System\4598449d72d7ebbd53952399ed5fc710\System.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.ni.dll
*** WARNING: Unable to verify timestamp for alk_dalkutil64.dll
*** ERROR: Module load completed but symbols could not be loaded for alk_dalkutil64.dll
FAULTING_IP:
KERNELBASE!RaiseException+39
000007fe`fda8940d 4881c4c8000000 add rsp,0C8h
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fefda8940d (KERNELBASE!RaiseException+0x0000000000000039)
ExceptionCode: e0434352 (CLR exception)
ExceptionFlags: 00000001
NumberParameters: 5
Parameter[0]: ffffffff80004003
Parameter[1]: 0000000000000000
Parameter[2]: 0000000000000000
Parameter[3]: 0000000000000000
Parameter[4]: 000007fefa140000
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
rax=0000000001470000 rbx=000000001791d5d0 rcx=0000000001470000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000002
rip=0000000077be186a rsp=000000001791d498 rbp=0000000000000002
r8=0000000000000000 r9=0000000000000040 r10=0000000000000000
r11=0000000000000286 r12=0000000000000000 r13=000000001791d540
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwWaitForMultipleObjects+0xa:
00000000`77be186a c3 ret
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: w3wp.exe
ERROR_CODE: (NTSTATUS) 0xe0434352 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xe0434352 - <Unable to get error code text>
EXCEPTION_PARAMETER1: ffffffff80004003
EXCEPTION_PARAMETER2: 0000000000000000
EXCEPTION_PARAMETER3: 0000000000000000
EXCEPTION_PARAMETER4: 0
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: w3wp.exe
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
MANAGED_STACK:
EXCEPTION_OBJECT: !pe 103f98b08
Exception object: 0000000103f98b08
Exception type: System.AccessViolationException
Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
InnerException: <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80004003
MANAGED_OBJECT: !dumpobj ffb11420
Name: System.String
MethodTable: 000007fef8886500
EEClass: 000007fef81a3750
Size: 26(0x1a) bytes
File: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
String:
Fields:
MT Field Offset Type VT Attr Value Name
0000000000000000 40000aa 8 System.Int32 1 instance 0 m_stringLength
0000000000000000 40000ab c System.Char 1 instance 0 m_firstChar
000007fef8886500 40000ac 18 System.String 0 shared static Empty
>> Domain:Value 0000000002488520:NotInit 0000000002576750:NotInit <<
EXCEPTION_MESSAGE: Attempted to read or write protected memory. This is often an indication that other memory is corru
MANAGED_OBJECT_NAME: SYSTEM.ACCESSVIOLATIONEXCEPTION
MANAGED_STACK_COMMAND: ** Check field _remoteStackTraceString **;!do 103f98b08;!do ffb11420
LAST_CONTROL_TRANSFER: from 000007fefa35565b to 000007fefda8940d
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS_CLR_EXCEPTION
STACK_TEXT:
00000000`00000000 00000000`00000000 w3wp!Unknown+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: w3wp!Unknown
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: w3wp
IMAGE_NAME: w3wp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7afa2
STACK_COMMAND: ** Check field _remoteStackTraceString **;!do 103f98b08;!do ffb11420 ; ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: WRONG_SYMBOLS_e0434352_w3wp.exe!Unknown
BUCKET_ID: X64_APPLICATION_FAULT_WRONG_SYMBOLS_CLR_EXCEPTION_w3wp!Unknown
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:wrong_symbols_e0434352_w3wp.exe!unknown
FAILURE_ID_HASH: {419a5b7f-31d5-d77e-cd0e-fe26c9258bfb}
Followup: MachineOwner
===
Edited on September 25
I have set up an environment variable
_NT_SYMBOL_PATH - symsrv*symsrv.dll*C:\Windows\symbols*http://msdl.microsoft.com/download/symbols
I am wondering why isn't it loading all symbols dynamically?
I did a .symfix;.reload
I get the prompt for sometime. Then I get a lot of .... on the screen and the regular prompt is back.
Then I did a "!sym noisy" and did ".symfix;.reload" again...
I get the following messages
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
..
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.dll\51FB164A1a9000\ntdll.dll - OK
DBGENG: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.dll\51FB164A1a9000\ntdll.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\400F215C54DA404788F84F5C504914952\ntdll.pdb already cached
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\400F215C54DA404788F84F5C504914952\ntdll.pdb already cached
DBGHELP: ntdll - public symbols
C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\400F215C54DA404788F84F5C504914952\ntdll.pdb
..............................................................
................................................................
................................................................
................................................................
................................................................
.....
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernel32.dll\51FB167611f000\kernel32.dll - OK
DBGENG: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernel32.dll\51FB167611f000\kernel32.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\KERNELBASE.dll\51FB16776b000\KERNELBASE.dll - OK
DBGENG: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\KERNELBASE.dll\51FB16776b000\KERNELBASE.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb already cached
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb already cached
DBGHELP: KERNELBASE - public symbols
C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb
Is there any problem in my symbol setup?
Yes. Correct it with the commands
.symfix x:\symbols; * Wherever you want the symbols to be
.reload
Or, if you have other symbol paths already set up:
.symfix+ x:\symbols
.reload
Or is this analysis pointing to some actual issue?
Also. You have a .NET exception which crashes your program. That is an issue.
The type is AccessViolation, something similar to a NullReferenceException. Hopefully, fixing symbols does not make a huge deifference here.
Could somebody please guide me on how to analyze this further?
After fixing the symbols, proceed with
.loadby sos clr
!pe
!clrstack

Trouble Loading local symbols in WinDBG - Kernel Driver

I cannot figure out why my local symbols are not loading for a kernel driver compiled using WDK and VS2013.
I build the driver and place myDriver.pdb in C:\Symbols\local, and copy the myDriver.sys to my virtual machine. Using VirtualKD I start the debugger, install the driver, and look at my loaded modules or try to set a breakpoint on myDriver!DriverEntry. When I try the breakpoint I get:
BP expression myDriver.sys!DriverEntry could not be resolved, adding deferred bp
My symbol path is:
C:\Symbols\local;srv*C:\Symbols\symcache*http://msdl.microsoft.com/download/symbols
When I try to .reload /f myDriver.sys I get:
kd> .reload /f myDriver.sys
"myDriver.sys" was not found in the image list.
Debugger will attempt to load "myDriver.sys" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
DBGENG: myDriver.sys - Partial symbol image load missing image info
DBGHELP: No header for myDriver.sys. Searching for dbg file
DBGHELP: c:\symbols\local\myDriver.dbg - file not found
DBGHELP: c:\symbols\local\sys\myDriver.dbg - path not found
DBGHELP: c:\symbols\local\symbols\sys\myDriver.dbg - path not found
DBGHELP: .\myDriver.dbg - file not found
DBGHELP: .\sys\myDriver.dbg - path not found
DBGHELP: .\symbols\sys\myDriver.dbg - path not found
DBGHELP: myDriver.sys missing debug info. Searching for pdb anyway
DBGHELP: myDriver - private symbols & lines
c:\symbols\local\myDriver.pdb - unmatched
Unable to add module at 00000000`00000000
Any ideas as to how I can fix this?
Thanks!
Because driver isn`t loaded yet. Deffered bp is OK. They will be resolved on driver load. This is normal behavior, no need to "fix this".

Error:Symbol File not found in WinDbg

I am doing remote debugging of windows vista using VmWare , but i encounter the
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe "
also , if i give "!process 0 0 " in windbg , i get
**** NT ACTIVE PROCESS DUMP **** NT symbols are incorrect, please fix symbols
I tried setting _NT_SYMBOL_PATH to "symsrv*symsrv.dll*c:\symbols*http://msdl.microsoft.com/download/symbols" (This was given in http://support.microsoft.com/kb/311503/) , then i changed the symbol file path of windbg to "srv*C:\Symbols\MsSymbols*http://msdl.microsoft.com/download/symbols" , but even after that i get the same errors, when i run symchk.exe to download symbols, i could get a lot of FAILED messages.
when i try to reload using .reload after running !sym noisy, i get
Connected to Windows Vista 6000 x86 compatible target at (Sat Jan 28 16:52:23.839 2012 (GMT+5)), ptr64 FALSE
SYMSRV: The system cannot find the file specified.
SYMSRV: The system cannot find the file specified.
SYMSRV: The system cannot find the file specified.
SYMSRV: c:\symbols\mssymbols\ntkrpamp.pdb\FD50D285751D4684938604B2CC1B41682\ntkrpamp.pdb not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrpamp.pdb/FD50D285751D4684938604B2CC1B41682/ntkrpamp.pdb not found
DBGHELP: ntkrpamp.pdb - file not found
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
DBGHELP: nt - export symbols
Loading Kernel Symbols
...............................................................
................................................................
............
Loading User Symbols
Loading unloaded module list
....
But still when i try to run !process 0 0 , i get an error saying incorrect symbols
Thanks for your help and time in advance..
Your fixed symbol path looks good to me, that first path was entirely incorrect. Can you try the following commands and see if it works?
.symfix c:\websymbols
.reload /o
If that doesn't work, are you running and official version on the target? As in, it's not a Beta release or something, right? You might also want to rule out any networking issues.
I've encountered the same problems.
It is that My IE browser cannt connect Internet(while others could) causing the windbg return ERROR_CANNOT_CONNECT_INTERNET resulting pdb-file cannot be found..
SYMSRV: BYINDEX: 0x5
d:\symbolslocal*http://msdl.microsoft.com/download/symbols
ntdll.dll
4CE7B96E13c000
SYMSRV: d:\symbolslocal\ntdll.dll\4CE7B96E13c000\ntdll.dll - file not found
SYMSRV: HTTPGET: /download/symbols/ntdll.dll/4CE7B96E13c000/ntdll.dll
SYMSRV: HttpSendRequest: 12029 - ERROR_INTERNET_CANNOT_CONNECT
SYMSRV: d:\symbolslocal\ntdll.dll\4CE7B96E13c000\ntdll.dll not found
SYMSRV:http://msdl.microsoft.com/download/symbols/ntdll.dll/4CE7B96E13c000/ntdll.dll not found
DBGHELP: E:\Program Files (x86)\Windows Kits\10\Debuggers\x64\ntdll.dll - file not found
DBGHELP: E:\Program Files (x86)\Windows Kits\10\Debuggers\x64\ntdll.dll - file not found
DBGENG: ntdll.dll - Image mapping disallowed by non-local path.
DBGHELP: No debug info for ntdll.dll. Searching for dbg file
SYMSRV: BYINDEX: 0x6
d:\symbolslocal*http://msdl.microsoft.com/download/symbols
ntdll.dbg
4CE7B96E13c000
SYMSRV: d:\symbolslocal\ntdll.dbg\4CE7B96E13c000\ntdll.dbg - file not found
SYMSRV: HTTPGET: /download/symbols/ntdll.dbg/4CE7B96E13c000/ntdll.dbg
SYMSRV: HttpSendRequest: 12029 - ERROR_INTERNET_CANNOT_CONNECT
SYMSRV: d:\symbolslocal\ntdll.dbg\4CE7B96E13c000\ntdll.dbg not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntdll.dbg/4CE7B96E13c000/ntdll.dbg not found
DBGHELP: .\ntdll.dbg - file not found
DBGHELP: .\dll\ntdll.dbg - path not found
DBGHELP: .\symbols\dll\ntdll.dbg - path not found
DBGHELP: ntdll.dll missing debug info. Searching for pdb anyway
DBGHELP: Can't use symbol server for ntdll.pdb - no header information available
DBGHELP: ntdll.pdb - file not found
*** ERROR: Module load completed but symbols could not be loaded for ntdll.dll
So just fix IE problem, then windbg will work fine.
About how to fix IE problem,
open 'Internet Options' --- > 'Connection' --->
delete all connections -----> restart the IE ----> IE OK
Then windbg can access Internet now, it can download symbol files now.
IE cannot access INTERNET may cause many probs in many programs.Hope it helps.