Defrag Tools #167 - Debugging User Mode Crash Dumps Redux

Play Defrag Tools #167 - Debugging User Mode Crash Dumps Redux

The Discussion

  • User profile image

    What's is difference between setting these registry key vs procdump?


  • User profile image

    Excellent video!
    But in the next one, a little bit slower will be better... ;)


  • User profile image

    tip: you can use %* in the d.cmd script eg:

    @dir %*

  • User profile image

    What's is difference between setting these registry key vs procdump?

    With WER you have more control (specify dump options, dump path per app base)


    The .dumpdebug is great, but sadly not documented, I found it some months ago in this blog:


    My symbol cache is over 70GB :P (75 556 358 949 Bytes, 79271 files, 108318 folders).



  • User profile image


    Great show as usual!

    Would you have any advise what else can be check in the debugger that would explain in more detail, why the access violation occurred in Outlook.exe(see windbg output below) on module wwlib.dll? Or would you say that updating wwlib.dll is the best approach?

    0:000> |
    . 0 id: 14094 examine name: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE

    0:000> .exr -1
    ExceptionAddress: 5a0d7dc4 (WWLIB+0x00027dc4)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 00000304
    Attempt to read from address 00000304

    0:000> .ecxr
    eax=05d00f5e ebx=00000000 ecx=06acc000 edx=06acc000 esi=06acc000 edi=00000000
    eip=5a0d7dc4 esp=0018ed50 ebp=0018ef60 iopl=0 nv up ei pl nz na po nc
    cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
    5a0d7dc4 ffb704030000 push dword ptr [edi+304h] ds:002b:00000304=????????

    0:000> kv
    *** Stack trace for last set context - .thread/.cxr resets it
    # ChildEBP RetAddr Args to Child
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 0018ef60 5adfd382 00000000 00000001 00000000 WWLIB+0x27dc4
    01 0018ef8c 30238d2e 06bb5064 06a3af64 00060c22 WWLIB+0xd4d382
    02 0018efc8 3023aa63 00000000 06a598c0 00000001 OUTLOOK!FFolderSupportsUnicode+0x2487
    03 0018eff0 3024bc75 00000000 06a598dc 00000000 OUTLOOK!FFolderSupportsUnicode+0x41bc
    04 0018f188 3023fec4 00000000 0fffffff 06aa4800 OUTLOOK!SmoothScroll+0x1098c
    05 0018f19c 3023fd55 06a598dc 0fffffff 6a6a7964 OUTLOOK!SmoothScroll+0x4bdb
    06 0018f800 2f927f6c 00000000 0fffffff 00000002 OUTLOOK!SmoothScroll+0x4a6c
    07 0018f884 3023aaf9 06aa4858 0fffffff 00000000 OUTLOOK!GetAllocCounters+0x2a78d
    08 0018f8a4 3023cfd0 06a3abe0 06a3aba0 00000000 OUTLOOK!FFolderSupportsUnicode+0x4252
    09 0018f910 3023c556 06aa3c30 0018f940 02702970 OUTLOOK!SmoothScroll+0x1ce7
    0a 0018f964 2f976570 06aa3c30 00000000 00000000 OUTLOOK!SmoothScroll+0x126d
    0b 0018f988 30267a8e 06aa3c30 00000000 07150e60 OUTLOOK!GetCentralObject+0x2384
    0c 0018fa40 301a2cfd 00000000 0000001b 0018fa98 OUTLOOK!SmoothScroll+0x2c7a5
    0d 0018fa50 2f987ab1 02702400 3028e990 00000001 OUTLOOK!HrMsgDownloadedNotification+0x2dbc6
    0e 0018fa98 2f9a6ffc 0661bc88 00000000 00000001 OUTLOOK!XGetExplorerStoragePath+0x4adb
    0f 0018fad4 3026e830 00000001 00000000 00000001 OUTLOOK!XGetExplorerStoragePath+0x24026
    10 0018faf8 3026ea50 00000000 00000000 30290b38 OUTLOOK!SmoothScroll+0x33547
    11 0018fb34 2f973397 00000000 00000000 00000000 OUTLOOK!SmoothScroll+0x33767
    12 0018fb5c 2f80ec5f 2f7f0000 00000000 00384c6e OUTLOOK!GetAllocCounters+0x75bb8
    13 0018fbec 757c338a 7efde000 0018fc38 77869902 OUTLOOK+0x1ec5f
    14 0018fbf8 77869902 7efde000 7a58ce6c 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
    15 0018fc38 778698d5 2f7f3910 7efde000 ffffffff ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
    16 0018fc50 00000000 2f7f3910 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

    0:000> lmvm WWLIB
    Browse full module list
    start end module name
    5a0b0000 5b1c4000 WWLIB T (no symbols)
    Loaded symbol image file: WWLIB.DLL
    Image path: C:\Program Files (x86)\Microsoft Office\Office12\WWLIB.DLL
    Image name: WWLIB.DLL
    Browse all global symbols functions data
    Timestamp: Thu May 19 04:51:24 2016 (573D383C)
    CheckSum: 01102DB5
    ImageSize: 01114000
    File version: 12.0.6749.5000
    Product version: 12.0.6749.0
    File flags: 0 (Mask 3F)
    File OS: 40004 NT Win32
    File type: 2.0 Dll
    File date: 00000000.00000000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

  • User profile image

    @Luke:Not enough information there to determine anything. If you share the .dmp on a OneDrive we could take a look. If I'm not mistaken, though, that looks like Office 2007, which hasn't gotten any non-security fixes in several years now, so the real answer might be to update to a newer version of Office.

  • User profile image
    Joyce Gammill

    Totally lost; not a clue what y'all are talking about (senior citizen, duh - frustrating); want the update (do I?), but not sure I'll ever get it, i.e., understand what I should be doing. Got anything plain and simple for old gray mares, maybe? FYI: Dell Insipron 1545 laptop, but never used as such - plugged in, no battery, never leaves desk.

  • User profile image
    Timothy Suhr

    I was able to follow the direction the video made. It would be helpful to have more information about this hole topic. Please do not stop here! As a tester I think this may help. More about what would best go into bug reports. Also the use of these tools from a testing perspective would be helpful.

    Thanks again and keep up the great work...

  • User profile image

    Thanks for the Video guys.

    Any Details when this book is coming out, they keep pushing it back a month :)


  • User profile image

    if i want to get the most inclusive dump, should i use ProcDump -ma or -mp?

  • User profile image
    matthew grossman

    NM -ma it is

  • User profile image

    how do you get !pe right away? I have to run .cordll -l to make windbg load sos.

  • User profile image
    Just discovered your show and am super excited about it. Thank you for making it!

Add Your 2 Cents