Decrypt my World

Cryptography, Security, Debugging and more!

How to use DHeapMon.exe to troubleshoot Desktop Heap issues

How to use DHeapMon.exe to troubleshoot Desktop Heap issues

  • Comments 10

Hi all,

The other day I had to troubleshoot an issue with a process that a specific Windows service was trying to launch without success. We could see with a debugger (i.e. WinDbg) that the new process was actually being created but it exited before we even got to its main function.

This may be a typical Desktop Heap issue. I won't explain Desktop Heap here. We already have a great overview on this topic: Desktop Heap Overview. They also explain how to troubleshoot this kind of issues with DHeapMon tool. You should read this article before you continue reading this post.

If everything is explained in previous link, why do I write this post? Well, they don't explain in detail how to configure and use DHeapMon, and it took me a while to figure this out. I hope this saves you some time. 

 

We can get latest version of DHeapMon.exe here: Desktop Heap Monitor Version 8.1.

You will also need to download the following set of tools: Debugging Tools for Windows. We'll need Symchk.exe tool included in those tools.

Once you install all tools in target machine you can use cmd.exe to run the following commands:

1) Set Microsoft symbols server:

set _NT_SYMBOL_PATH = srv*c:\symbols*http://msdl.microsoft.com/download/symbols

Note: We'll need win32k.sys correct symbols to be able to setup DHeapMon.

2) Load symbols for win32k.sys: 

symchk c:\windows\system32\win32k.sys /v

Note: The symbols we need will be copied to c:\symbols.

3) Install DHeapMon driver:

dheapinst -y c:\symbols

4) Start DHeapMon driver:

dheapmon.exe -l

5) Get DHeapMon output: 

5.1) For current user session:

dheapmon.exe

5.2) For session 0 (Windows services):

at 13:12 c:\path_to_dheapmon\dheapmon.exe -f c:\result.txt

Note: To access session 0 information we need to run DHeapMon under a high priviledged account in the Windows services world. A trick to do that is to launch the tool as an scheduled task with an AT command. This way DHeapMon will be running (by default) as System in the same session as the other services. We print the output to a .txt file because the tool will be running in an invisible desktop.

6) Stop DHeapMon driver:

dheapmon.exe -u

7) Uninstall DHeapMon driver:

dheapinst.exe -r

 

DHeapMon shows Desktop Heap usage for different Window Station\Desktop combinations. If you want to understand these combinations better, check this article: INFO: Services, Desktops, and Window Stations.

If you want to know more info on typical Desktop Heap issues and changes to SharedSection and SessionViewSize values (commented in the overview article above), check these articles:

184802 PRB: User32.dll or Kernel32.dll fails to initialize

840342 Applications may not run correctly in a Terminal Services environment

 

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)
 

  • Gr8 article .... keep posting :-)

  • Sometimes customers open technical support cases because of this (apparently simple) issue: “System.Web.Services.

  • Alex, thanks for this great article.  I keep it on my list of items to mail to other developers.

    I've faced a problem with dheapmon since about June, though -- it will no longer install or load.  I've followed your instructions several times, read the dheapmon docs, tried googling, tried troubleshooting with procmon, and haven't found how to get around this issue.

    I get an error "Dheapmon - Software is not installed or Driver is not running (1012)" when I try to load the appropriate dheapmon driver.  I try to install the correct driver again, and I get "Driver Installation error occured (3)" whenever I try to run dheapinst or dheapinst with my correct pdb symbols.

    I haven't found any help on this error "Driver Installation error occured (3)".  Have you faced it?

  • Thanks for this great article, it helped me to detect and resolve a long time issues concerning out of memory and failed menu painting in Windows XP 32bit.

  • I am unable to install Dheapmon on my machine.

    C:\kktools\dheapmon8.1\x64>dheapinst -y c:\symbols

     dheapinst - Win32k.sys symbol load error, Correct symbol required

    C:\kktools\dheapmon8.1\x64>dheapmon.exe -l

     Dheapmon - Software is not installed or Driver is not running (1012)

    C:\kktools\dheapmon8.1\x64>dheapinst.exe -y srv*msdl.microsoft.com/downlo

    ad/symbols

     dheapinst - Driver Installation error occured (124)

    Can you please suggest?

  • Did you follow all the steps to load the win32k.sys symbols? Can you see them in c:\symbols folder?

  • C:\kktools\dheapmon8.1>cd x86

    C:\kktools\dheapmon8.1\x86>dheapinst -y c:\symbols

     dheapinst - Desktop Heap Monitor installed successfully

    C:\kktools\dheapmon8.1\x86>dheapmon.exe -l

    Desktop Heap Information Monitor Tool (Version 8.1.2925.0)

    Copyright (c) Microsoft Corporation.  All rights reserved.

     DheapmonLoadDriver() was failed. Error (50)4

    I have downloaded the windows symbol package but still unable to installl dheapmon.exe -l.

    Any idea?

  • I am experiencing the same thing. Two errors are thrown out immediately when I try to install Dheapmon

    dheapinst - y C:\Windows  

    It says :    dheapinst- Driver Deletion error occured (5)

                   dheapinst - Driver Installation error occured (1)

  • I couldn't get symchk to copy anything to C:\SYMBOLS on WinXPsp3.

    I got it to work by getting the symbols from here: msdn.microsoft.com/.../gg463028.aspx

    The installer will load a lot of them to c:\Windows\SYMBOLS.

    Then:

    dheapinst -y C:\Windows\SYMBOLS

    dheapmon.exe -l

  • Any way to get information for all session ID's at once and / or the total size for all desktops over all sessions?

Page 1 of 1 (10 items)
Leave a Comment
  • Please add 1 and 5 and type the answer here:
  • Post
Translate This Page