如何使用 windbg 对无法启动的可执行文件进行故障排除?
How to use windbg to troubleshoot executable which won't start?
Intel Power Gadget 工具不会在我的系统上 运行,我正在尝试找出原因。这是 Core i7-720QM 运行ning Window 8.1 x64。 AIDA64 可以很好地读取 CPU 温度,但我什至无法启动 Intel Power Gadget。没有 windows 打开并且没有任何反应。它在不同的计算机上工作正常。
我尝试附加 windbg,但导致可执行文件失败的原因并不明显。我一直没能找到 windbg 教程来说明如何对无法启动的可执行文件进行故障排除。
在下面的输出中,我按照用户blabb的建议设置了一个断点并转储了堆栈。有什么想法吗?
0:000> .symfix
0:000> .restart
CommandLine: "C:\Program Files\Intel\Power Gadget 3.0\IntelPowerGadget.exe"
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is: srv*
ModLoad: 00007ff6`800f0000 00007ff6`80178000 IntelPowerGadget.exe
ModLoad: 00007ff9`82ab0000 00007ff9`82c5c000 ntdll.dll
ModLoad: 00007ff9`80480000 00007ff9`805be000 C:\Windows\system32\KERNEL32.DLL
ModLoad: 00007ff9`7fcd0000 00007ff9`7fde5000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 00000000`550e0000 00000000`55643000 C:\Windows\SYSTEM32\mfc100u.dll
ModLoad: 00000000`55920000 00000000`559f2000 C:\Windows\SYSTEM32\MSVCR100.dll
ModLoad: 00007ff9`80820000 00007ff9`80997000 C:\Windows\system32\USER32.dll
ModLoad: 00007ff9`82450000 00007ff9`825a1000 C:\Windows\system32\GDI32.dll
ModLoad: 00007ff9`80ce0000 00007ff9`821f9000 C:\Windows\system32\SHELL32.dll
ModLoad: 00007ff9`805c0000 00007ff9`80754000 C:\Windows\system32\ole32.dll
ModLoad: 00007ff9`7b660000 00007ff9`7b810000 C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll
ModLoad: 00000000`55880000 00000000`55918000 C:\Windows\SYSTEM32\MSVCP100.dll
ModLoad: 00007ff9`823f0000 00007ff9`82444000 C:\Windows\system32\SHLWAPI.dll
ModLoad: 00007ff9`7d8c0000 00007ff9`7db3b000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\COMCTL32.dll
ModLoad: 00007ff9`7cca0000 00007ff9`7cca7000 C:\Windows\SYSTEM32\MSIMG32.dll
ModLoad: 00007ff9`803d0000 00007ff9`8047a000 C:\Windows\system32\msvcrt.dll
ModLoad: 00007ff9`82700000 00007ff9`82911000 C:\Windows\SYSTEM32\combase.dll
ModLoad: 00007ff9`825b0000 00007ff9`826f1000 C:\Windows\system32\RPCRT4.dll
ModLoad: 00007ff9`807c0000 00007ff9`80819000 C:\Windows\SYSTEM32\sechost.dll
(1a58.1a54): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ff9`82b71cd0 cc int 3
0:000> bp ntdll!ntTerminateProcess
0:000> bl
0 e 00007ff9`82b41090 0001 (0001) 0:**** ntdll!NtTerminateProcess
0:000> g
ModLoad: 00007ff9`80770000 00007ff9`807a6000 C:\Windows\system32\IMM32.DLL
ModLoad: 00007ff9`80270000 00007ff9`803c3000 C:\Windows\system32\MSCTF.dll
ModLoad: 00007ff9`7e870000 00007ff9`7e999000 C:\Windows\SYSTEM32\UxTheme.dll
ModLoad: 00007ff9`7df70000 00007ff9`7df91000 C:\Windows\system32\dwmapi.dll
ModLoad: 00000000`550d0000 00000000`550dd000 C:\Windows\SYSTEM32\MFC100ENU.DLL
ModLoad: 00007ff9`82a00000 00007ff9`82aaa000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 00007ff9`743b0000 00007ff9`743c1000 C:\Program Files\Intel\Power Gadget 3.0\EnergyLib64.dll
ModLoad: 00007ff9`7f230000 00007ff9`7f276000 C:\Windows\SYSTEM32\POWRPROF.dll
Breakpoint 0 hit
ntdll!NtTerminateProcess:
00007ff9`82b41090 4c8bd1 mov r10,rcx
0:000> kb
RetAddr : Args to Child : Call Site
00007ff9`82b1f400 : 00007e42`e1a67e08 00000000`013f1680 00000000`00000000 00000000`00fafc80 : ntdll!NtTerminateProcess
00007ff9`8048516a : 00000000`00000000 00000000`013f1680 00000000`013f1680 00007ff6`80105bb0 : ntdll!RtlExitUserProcess+0x60
00000000`55940ccd : 00000000`013f1678 00007ff6`863f6e0b 00000000`01181f9e 00000000`00000000 : KERNEL32!ExitProcessImplementation+0xa
*** ERROR: Module load completed but symbols could not be loaded for IntelPowerGadget.exe
00007ff6`800f9e78 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!doexit+0x1c1
00007ff9`804813d2 : 00007ff6`800f9fc4 00007ff6`7f50b000 00000000`00000000 00000000`00000000 : IntelPowerGadget+0x9e78
00007ff9`82b1eb64 : 00007ff9`804813b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
0:000> g
Breakpoint 0 hit
ntdll!NtTerminateProcess:
00007ff9`82b41090 4c8bd1 mov r10,rcx
0:000> g
ntdll!NtTerminateProcess+0xa:
00007ff9`82b4109a c3 ret
您查询中的输出没有用,您只是 运行 应用程序和 windbg 正在显示它加载的所有模块,这不会为手头的问题提供任何信息您可能需要设置至少一个断点让windbg break and dump the stack分析执行路径
.重启
当 windbg 中断时,在发出 g 之前设置一个 bp 当遇到断点时,使用 kb
转储堆栈回溯
bp ntdll!ntTerminateProcess
bl
g
kb
编辑您的 post 以粘贴新输出
导致终止的函数似乎在 00007ff6`800f9e78
你可能需要分析这个函数
ub (unassemble backward ) ub 00007ff6`800f9e78 启用 loadersnap !gflag + sls 并扫描 debug spew 寻找线索可能会导致失败,因为依赖性应该显示调用,如果这个call 似乎是终端调用您可能需要回溯以确定导致此调用的分支并分析为什么采用此分支
00007ff6`800f9e78 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!doexit+0x1c1
00007ff9`804813d2 : 00007ff6`800f9fc4 00007ff6`7f50b000 00000000`00000000 00000000`00000000 : IntelPowerGadget+0x9e78
编辑
我查看了有问题的 exe,它似乎在 EnergyLib64.dll->initterm (LdrpRunInitializeRoutine) 检查某些处理器时调用的初始化例程中有一个整数 division by zero exception使用 cpuid 的特定功能 一些计算后 cpuid 的结果右移 20 shr eax,20 这使得 eax 0 并且 divisor ebp 也是 0 所以 div eax, ebp 导致 divide 零异常导致立即终止。通过 msvcrt!exit at 0x......9e78
Intel Power Gadget 工具不会在我的系统上 运行,我正在尝试找出原因。这是 Core i7-720QM 运行ning Window 8.1 x64。 AIDA64 可以很好地读取 CPU 温度,但我什至无法启动 Intel Power Gadget。没有 windows 打开并且没有任何反应。它在不同的计算机上工作正常。
我尝试附加 windbg,但导致可执行文件失败的原因并不明显。我一直没能找到 windbg 教程来说明如何对无法启动的可执行文件进行故障排除。
在下面的输出中,我按照用户blabb的建议设置了一个断点并转储了堆栈。有什么想法吗?
0:000> .symfix
0:000> .restart
CommandLine: "C:\Program Files\Intel\Power Gadget 3.0\IntelPowerGadget.exe"
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is: srv*
ModLoad: 00007ff6`800f0000 00007ff6`80178000 IntelPowerGadget.exe
ModLoad: 00007ff9`82ab0000 00007ff9`82c5c000 ntdll.dll
ModLoad: 00007ff9`80480000 00007ff9`805be000 C:\Windows\system32\KERNEL32.DLL
ModLoad: 00007ff9`7fcd0000 00007ff9`7fde5000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 00000000`550e0000 00000000`55643000 C:\Windows\SYSTEM32\mfc100u.dll
ModLoad: 00000000`55920000 00000000`559f2000 C:\Windows\SYSTEM32\MSVCR100.dll
ModLoad: 00007ff9`80820000 00007ff9`80997000 C:\Windows\system32\USER32.dll
ModLoad: 00007ff9`82450000 00007ff9`825a1000 C:\Windows\system32\GDI32.dll
ModLoad: 00007ff9`80ce0000 00007ff9`821f9000 C:\Windows\system32\SHELL32.dll
ModLoad: 00007ff9`805c0000 00007ff9`80754000 C:\Windows\system32\ole32.dll
ModLoad: 00007ff9`7b660000 00007ff9`7b810000 C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll
ModLoad: 00000000`55880000 00000000`55918000 C:\Windows\SYSTEM32\MSVCP100.dll
ModLoad: 00007ff9`823f0000 00007ff9`82444000 C:\Windows\system32\SHLWAPI.dll
ModLoad: 00007ff9`7d8c0000 00007ff9`7db3b000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\COMCTL32.dll
ModLoad: 00007ff9`7cca0000 00007ff9`7cca7000 C:\Windows\SYSTEM32\MSIMG32.dll
ModLoad: 00007ff9`803d0000 00007ff9`8047a000 C:\Windows\system32\msvcrt.dll
ModLoad: 00007ff9`82700000 00007ff9`82911000 C:\Windows\SYSTEM32\combase.dll
ModLoad: 00007ff9`825b0000 00007ff9`826f1000 C:\Windows\system32\RPCRT4.dll
ModLoad: 00007ff9`807c0000 00007ff9`80819000 C:\Windows\SYSTEM32\sechost.dll
(1a58.1a54): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ff9`82b71cd0 cc int 3
0:000> bp ntdll!ntTerminateProcess
0:000> bl
0 e 00007ff9`82b41090 0001 (0001) 0:**** ntdll!NtTerminateProcess
0:000> g
ModLoad: 00007ff9`80770000 00007ff9`807a6000 C:\Windows\system32\IMM32.DLL
ModLoad: 00007ff9`80270000 00007ff9`803c3000 C:\Windows\system32\MSCTF.dll
ModLoad: 00007ff9`7e870000 00007ff9`7e999000 C:\Windows\SYSTEM32\UxTheme.dll
ModLoad: 00007ff9`7df70000 00007ff9`7df91000 C:\Windows\system32\dwmapi.dll
ModLoad: 00000000`550d0000 00000000`550dd000 C:\Windows\SYSTEM32\MFC100ENU.DLL
ModLoad: 00007ff9`82a00000 00007ff9`82aaa000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 00007ff9`743b0000 00007ff9`743c1000 C:\Program Files\Intel\Power Gadget 3.0\EnergyLib64.dll
ModLoad: 00007ff9`7f230000 00007ff9`7f276000 C:\Windows\SYSTEM32\POWRPROF.dll
Breakpoint 0 hit
ntdll!NtTerminateProcess:
00007ff9`82b41090 4c8bd1 mov r10,rcx
0:000> kb
RetAddr : Args to Child : Call Site
00007ff9`82b1f400 : 00007e42`e1a67e08 00000000`013f1680 00000000`00000000 00000000`00fafc80 : ntdll!NtTerminateProcess
00007ff9`8048516a : 00000000`00000000 00000000`013f1680 00000000`013f1680 00007ff6`80105bb0 : ntdll!RtlExitUserProcess+0x60
00000000`55940ccd : 00000000`013f1678 00007ff6`863f6e0b 00000000`01181f9e 00000000`00000000 : KERNEL32!ExitProcessImplementation+0xa
*** ERROR: Module load completed but symbols could not be loaded for IntelPowerGadget.exe
00007ff6`800f9e78 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!doexit+0x1c1
00007ff9`804813d2 : 00007ff6`800f9fc4 00007ff6`7f50b000 00000000`00000000 00000000`00000000 : IntelPowerGadget+0x9e78
00007ff9`82b1eb64 : 00007ff9`804813b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
0:000> g
Breakpoint 0 hit
ntdll!NtTerminateProcess:
00007ff9`82b41090 4c8bd1 mov r10,rcx
0:000> g
ntdll!NtTerminateProcess+0xa:
00007ff9`82b4109a c3 ret
您查询中的输出没有用,您只是 运行 应用程序和 windbg 正在显示它加载的所有模块,这不会为手头的问题提供任何信息您可能需要设置至少一个断点让windbg break and dump the stack分析执行路径
.重启
当 windbg 中断时,在发出 g 之前设置一个 bp 当遇到断点时,使用 kb
转储堆栈回溯
bp ntdll!ntTerminateProcess
bl
g
kb
编辑您的 post 以粘贴新输出
导致终止的函数似乎在 00007ff6`800f9e78
你可能需要分析这个函数
ub (unassemble backward ) ub 00007ff6`800f9e78 启用 loadersnap !gflag + sls 并扫描 debug spew 寻找线索可能会导致失败,因为依赖性应该显示调用,如果这个call 似乎是终端调用您可能需要回溯以确定导致此调用的分支并分析为什么采用此分支
00007ff6`800f9e78 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!doexit+0x1c1
00007ff9`804813d2 : 00007ff6`800f9fc4 00007ff6`7f50b000 00000000`00000000 00000000`00000000 : IntelPowerGadget+0x9e78
编辑
我查看了有问题的 exe,它似乎在 EnergyLib64.dll->initterm (LdrpRunInitializeRoutine) 检查某些处理器时调用的初始化例程中有一个整数 division by zero exception使用 cpuid 的特定功能 一些计算后 cpuid 的结果右移 20 shr eax,20 这使得 eax 0 并且 divisor ebp 也是 0 所以 div eax, ebp 导致 divide 零异常导致立即终止。通过 msvcrt!exit at 0x......9e78