I think this will be the last article to come from James’ post on debugging MAPI (previous posts here , here , and here ). This last one bit me when I was trying to gather a UST trace from a customer. Here’s the deal: The image file name associated with an executable can be different depending on how the process is launched. And Image File Execution Options (IFEO) works on the image file name, not the executable name. To illustrate this, we can rename mfcmapi.exe (my favorite executable, natch) to

Digging more into lessons learned from James’ blog on analyzing memory usage (my first two articles are here and here ). Today we take a side trip into 64 vs. 32 bit. While we were working on this issue, I decided to get some UST enabled dumps of MFCMAPI so I could compare a known scenario to the customer’s unknown scenario (a great diagnostic technique). However, no matter what settings I specified in gflags, when I attached the debugger, MFCMAPI didn’t have UST enabled! Let’s look at how gflags

Continuing our look at lessons learned from James’ article on the MAPI memory leak , we look at the memory that James recognized as MAPI properties. How did he figure this out? As a refresher, here’s what the memory looked like: 0:000> !heap -p -a 0372e598 address 0372e598 found in _HEAP @ 36f0000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 0372e598 0022 0000 [07] 0372e5a0 000f8 - (busy) ? 3rdpartydll+1 Trace: 7dfe 0:000> dc 0372e598 lf8/4+2+4 0372e598 000d0022 001807d6 10000001 03707d50

James wrote up a good article on analyzing a MAPI memory leak using user mode stack tracing . I wanted to highlight some points he made. Let’s look at some !heap output from one of my recent cases (using only public symbols here): 0:000> !heap -p -a 03fbec28 address 03fbec28 found in _HEAP @ 3f90000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 03fbec20 0021 0000 [07] 03fbec28 000f0 - (busy) ? EMSMDB32!MSProviderInit+1d27a Trace: 1922 7c8531e4 ntdll!RtlAllocateHeapSlowly+0x00000041 7c83d97a

I noticed recently that one on of my machines, whenever I ran MFCMAPI and displayed one of my CEditor dialogs, the whole machine froze for 1 to several minutes. I figured this would be a fun opportunity to practice my kernel debugging skills and share what I learned. A bit about my setup: I keep two physical machines in my office. On the larger machine, I run Hyper-V Server 2008 . This headless box sits in the corner and hosts all my VMs, including the VM where I run Outlook and other day-to-day

Prior to taking a dump on a program, you should be sure that there are matching symbols for the application the dump is being taken on. Large dumps can take many hours to upload to a person for debugging. You can validate symbols against the executable before a dump is taken in order to prevent the wrong symbols or a dump with no matching symbols from being sent. Symchk can be used to verify that the symbols (.pdb) for the program can be found in the path designated after the “/s” parameter. It will

Full Dumps: A full dump pretty much gets everything in memory for the application at the time the dump is taken. Because of this, a process taking one gig of memory will likely result in a one gig dump file. · A full dump will have this information: Heap memory - objects, variables created by free or malloc (in C++). · Call stacks of all threads - all function calls being processed with their variables on the stack. · Thread and environment blocks - This shows what the current thread is and its state.

With Vista, you can create a mini-dump by right clicking on the process in Task Manager. However, user-mode process dump information is not available by using this feature. This feature is not available under Windows 2003 or Windows XP.

When an application crashes, the user may only have Visual Studio on the box. When the crash occurs, the developer may be prompted to see if they wish to debug the appliction. If they can choose Visual Studio, then they can save the dump to a file which can be looked at with windbg later. 1) On the Debug menu, click Save Dump As. 2) In the Save Dump As dialog box, select Minidump or Minidump with Heap from the Save as type list box. Note: You really should go for the Minidump with heap at least.

Adplus from the Debugging Tools can be used to get Hang Dumps. Normally, you want to take at least 2 dumps to so the person debugging can get an idea of where the hang is. Installing Adplus and the Debugging SDK: 1) Go to http://www.microsoft.com/whdc/devtools/debugging/default.mspx and download the debugging tools to match the version of Windows of the machine where the program is running and the processor type (32bit or 64bit) of the application for which the dump is going to be taken. 2) Install