Welcome to the Microsoft NTDebugging blog! I’m Matthew Justice, an Escalation Engineer on Microsoft’s Platforms Critical Problem Resolution (CPR) team. Our team will be blogging about troubleshooting Windows problems at a low level, often by using the Debugging Tools for Windows. For more information about us and this blog, check out the about page.
To get things started I want to provide you with a list of tools that we’ll be referencing in our upcoming blog posts, as well as links to some technical documents to help you get things configured.
The big list of tools:
The following tools are part of the “Debugging Tools for Windows” – you’ll definitely need these
http://www.microsoft.com/whdc/devtools/debugging/
· windbg
· cdb
· ntsd
· tlist
· gflags
· adplus
· UMDH
· symcheck
Sysinternals provides some great tools that we’ll be discussing
http://www.sysinternals.com
· Process Explorer
· Process Monitor
· Regmon
· Filemon
· DbgView
· Handle.exe
· Tcpview
· LiveKD
· AutoRuns
· WinObj
There are many tools contained in “MPS Reports” (MPSRPT_SETUPPerf.EXE), but I’m listing it here specifically for Checksym
http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en
· Checksym
“Windows Server 2003 Resource Kit Tools” is another great set of tools. In particular Kernrate is a part of that package
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9D467A69-57FF-4AE7-96EE-B18C4790CFFD
· Kernrate
Windows XP SP2 Support Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en
· netcap
· poolmon
· memsnap
· tracefmt (64-bit versions available in the DDK)
· tracelog
· tracepdb
· depends
· pstat
“Visual Studio “ – in addition to the compilers and IDE, the following tools come in handy:
· SPY++
· dumpbin
Perfwiz (Performance Monitor Wizard)
http://www.microsoft.com/downloads/details.aspx?FamilyID=31fccd98-c3a1-4644-9622-faa046d69214&DisplayLang=en
DebugDiag
http://www.iis.net/handlers/895/ItemPermaLink.ashx
Userdump (User Mode Process Dumper)
http://www.microsoft.com/downloads/details.aspx?FamilyID=E089CA41-6A87-40C8-BF69-28AC08570B7E&displaylang=en
Dheapmon (Desktop Heap Monitor)
http://www.microsoft.com/downloads/details.aspx?familyid=5CFC9B74-97AA-4510-B4B9-B2DC98C8ED8B&displaylang=en
Netmon 3.0
§ Go to http://connect.microsoft.com/
§ Sign in with your passport account
§ Choose "Available Connections" on the left
§ Choose "Apply for Network Monitor 3.0” (once you've finished with the application, the selection appears in your "My Participation" page)
§ Go to the Downloads page (On the left side), and select the appropriate build 32 or 64 bit build.
Some articles you may find useful:
Debugging Tools and Symbols: Getting Started
http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx
Boot Parameters to Enable Debugging
http://msdn2.microsoft.com/en-us/library/ms791527.aspx
How to Generate a Memory Dump File When a Server Stops Responding (Hangs)
http://support.microsoft.com/kb/303021/
After installing the “Debugging Tools for Windows”, you’ll find two documents at the root of the install folder that are helpful:
· kernel_debugging_tutorial.doc - A guide to help you get started using the kernel debugger.
· debugger.chm - The help file for the debuggers. It details the commands you can use in the debugger. Think of this as a reference manual, rather than a tutorial.
Why cant I find win32k.pdb?
win32k.sys version 5.1.2600.3099 (MS07-17)
Trying to get Dheapmon (Desktop Heap Monitor) working (xpsp2+all hotfixes):
Following http://support.microsoft.com/kb/914216
C:\kktools\dheapmon8.1\x86>dheapinst.exe -y SRV*c:\websymbols*http://msdl.micros/
oft.com/download/symbols
dheapinst - Win32k.sys symbol load error, Correct symbol required
Tryed symchk.exe from latest dbg tools:
C:\Program Files\Debugging Tools for Windows>symchk.exe c:\winnt\system32\win32k
.sys /s c:\websymbols
SYMCHK: win32k.sys FAILED - win32k.pdb mismatched or not found
SYMCHK: FAILED files = 1
SYMCHK: PASSED + IGNORED files = 0
We are testing our Windows Server based product on Longhorn and are debugging a memory leak in a stress environment. Look at the UMDH log (snippet below). The first stack trace (BackTrace162528) is suspect, but inspite of all symbols being present, the trace is incomplete (shows only the call to RtlAllocateHeap).. Can you guys tell me what's going on? Is this a bug with UMDH on Longhorn?
+ 36686968 ( 40772037 - 4085069) 13723 allocs BackTrace162528
+ 4185 ( 13723 - 9538) BackTrace162528 allocations
ntdll!RtlAllocateHeap+0000021D
+ 811504 ( 811504 - 0) 1 allocs BackTraceD4354F4
+ 1 ( 1 - 0) BackTraceD4354F4 allocations
pdh!PdhiHeapAlloc+00000029
pdh!BuildNameTable+00000619
pdh!ConnectMachine+0000029C
pdh!GetMachine+0000019F
pdh!InitCounter+000000F3
pdh!PdhiAddCounter+000000AB
pdh!PdhAddCounterW+000000F7
LMS20Rules!_CreatePdhQueryHelper+00000420
LMS20Rules!LMSRuleDLL_Interface::CreatePdhQueryNT5+0000002A
LmsSs!LMS_Subsystem::SampleRuleLoads+00000034
LmsSs!LMS_Subsystem::UpdateLoadRecords+0000006D
LmsSs!LMS_Subsystem::TimerWakeHandler+000000F0
ImaCommon!DispatchWorkItem+00000132
ImaCommon!WorkItemDispatchThread+00000322
MSVCR80!_endthreadex+0000003B
MSVCR80!_endthreadex+000000C7
ntdll!__RtlUserThreadStart+00000023
ntdll!_RtlUserThreadStart+0000001B
Desktop heap is probably not something that you spend a lot of time thinking about, which is a good thing.
very good information, receive a dump, loose my symbols path everything I need was here :)
"이 문서는 http://blogs.msdn.com/ntdebugging blog 의 번역이며 원래의 자료가 통보 없이 변경될 수 있습니다. 이 자료는 법률적 보증이 없으며
Hello,
Can you please tell me, what is the target market (computer user level) of your site? I would also like to know if you have an email box for visitors seeking additional information concerning material posted on your?
I wasn't sure if I was suppose to change the information in the "title field," but I guess the most appropriate title would be as owner of a web site, even though it’s my first, and currently under construction.
Regards,
Chi
"You probably can’t avoid tech support problems entirely, but by using tools that Microsoft’s Global