May, 2009

  • Never doubt thy debugger

    Logparser automated within Windbg

    • 1 Comments

    The .shell command in Windbg allows to pipe the output of a debugger command to an external process and automatically print its output back inside the debugger window; a useful example is the command FIND, for example if we want to parse the stack for every thread and find every call where the word “isapi” is involved:

    0:036> .shell -ci "~*kpL1000" find /i "isapi"
    013cff78 1004f94e ISAPI_Rewrite!TerminateFilter+0x3cef
    013cffb0 1004f9f3 ISAPI_Rewrite!TerminateFilter+0x4462e
    013cffec 00000000 ISAPI_Rewrite!TerminateFilter+0x446d3
    0144ff78 1004f94e ISAPI_Rewrite+0x7763
    0144ffb0 1004f9f3 ISAPI_Rewrite!TerminateFilter+0x4462e
    0144ffec 00000000 ISAPI_Rewrite!TerminateFilter+0x446d3
    .shell: Process exited

    Incidentally also LogParser (one of my favorite debugging tools) can accept data to be parsed from the input stream using the STDIN keyword, so for example refactoring a script I posted some time ago we can find out if there are any duplicated assemblies in our application pool that should be moved to the GAC:

    0:000> .shell -ci "!peb" logparser "select extract_filename(text) as Duplicated_Assemblies, count(Duplicated_Assemblies) as Hits from STDIN where index_of(text, 'temporary asp.net files') > 0 group by Duplicated_Assemblies having count(Duplicated_Assemblies) > 1" -i:textline -o:nat -rtp:-1
    Duplicated_Assemblies Hits
    ---------------------------- ----
    errormanager.dll 2
    winformsui.dll 2
    externallibraryinterface.dll 2
    ptshopengine.dll 2
    schemas.dll 2
    dbengine.dll 2
    flowservice.dll 2

    Statistics:
    -----------
    Elements processed: 182
    Elements output: 7
    Execution time: 0.02 seconds

    .shell: Process exited

     

    Following the same principle, we can find out if there are strong named assemblies in our /bin folder as follows:

    0:000> .shell -ci "!dumpdomain" find /i "shared domain"
    Shared Domain: 0x793f2aa8
    .shell: Process exited




    0:000> .shell -ci "!dumpdomain 0x793f2aa8" logparser "SELECT DISTINCT EXTRACT_FILENAME(text) as Strong_Named_Assemblies_In_/bin FROM STDIN WHERE INDEX_OF(to_lowercase(text), 'temporary asp.net files') > 0" -i:TEXTLINE -o:NAT -RTP:-1
    Strong_Named_Assemblies_In_/bin
    -----------------------------------------
    crypto.dll
    radplaceholder.dll
    scms.dll
    sqldac.dll
    scontrollibrary.dll
    spell.dll
    editor.dll
    scms.resources.dll

    Statistics:
    -----------
    Elements processed: 164
    Elements output: 8
    Execution time: 0.01 seconds

    .shell: Process exited

     

    Instead of typing the whole command you can save it in a text file and execute it directly within Windbg with a command like “$><c:\debuggers\snassemblies.txt”.

     

    Carlo

    Quote of the day:
    Setting a good example for children takes all the fun out of middle age. - William Feather
Page 1 of 1 (1 items)