Windbg:USER 模式转储,windows 事件是否已设置
Windbg: USER mode dump, windows event is set or not
我正在尝试调试转储,我的用户模式 STOPPED_PENDING 服务,只是检查服务停止事件 "MySvcStopEvent" 是否已设置,我得到了事件句柄,试图转储句柄详细信息,
0:002> !handle 0x00000000`00000164 f
Handle 0000000000000164
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 3
PointerCount 785993
Name \BaseNamedObjects\MySvcStopEvent
Object specific information
无法确定事件是否已设置?
只有在转储中存在时才会显示评论对象特定信息
您可能必须使用适当的选项创建转储以确保您查找的信息包含在转储中
这是 Handle Type EVENT 的实时目标显示
0:000> !handle 0 f EVENT
Handle 4
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 32769
Name <none>
Object Specific Information
Event Type Manual Reset
Event is Waiting
Handle c
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Waiting
Handle 3c
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65535
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Set
Handle 40
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65536
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Set
4 handles of type Event
您可以使用 windbg 包中提供的 dumpchk 工具来检查转储,它解析 _MINIDUMP_HEADER 并发出输入 dmp 文件的统计信息
其中 Number OfStreams 或 _MINIDUMP_HEADER 标志指示转储文件中存在的数据量
下面的四个转储文件是用
.dump,.dump /f , .dump /h , .dump/ma 在随机进程上使用 windbg,相关信号被 grepped 并发布
F:\>f:\git\usr\bin\ls.exe -lag *.dmp
-rw-r--r-- 1 197121 7979145 Sep 20 13:09 bar.dmp
-rw-r--r-- 1 197121 7989384 Sep 20 13:10 blah.dmp
-rw-r--r-- 1 197121 9180 Sep 20 13:09 foo.dmp
-rw-r--r-- 1 197121 11198 Sep 20 13:10 hand.dmp
F:\>f:\git\usr\bin\ls.exe -lag *.txt
-rw-r--r-- 1 197121 8612 Sep 20 13:12 bar.txt
-rw-r--r-- 1 197121 22447 Sep 20 13:12 blah.txt
-rw-r--r-- 1 197121 13912 Sep 20 13:11 foo.txt
-rw-r--r-- 1 197121 15458 Sep 20 13:12 hand.txt
F:\>f:\git\usr\bin\grep.exe -ir "Loading.*Dump.*File" -A 1 *.txt
bar.txt:Loading Dump File [F:\bar.dmp]
bar.txt-User Dump File: Only application data is available
--
blah.txt:Loading Dump File [F:\blah.dmp]
blah.txt-User Mini Dump File with Full Memory: Only application data is available
--
foo.txt:Loading Dump File [F:\foo.dmp]
foo.txt-User Mini Dump File: Only registers, stack and portions of memory are available
--
hand.txt:Loading Dump File [F:\hand.dmp]
hand.txt-User Mini Dump File: Only registers, stack and portions of memory are available
F:\>f:\git\usr\bin\grep.exe -ir "Number.*of.*Streams" -A 1 *.txt
blah.txt:NumberOfStreams 17
blah.txt-Flags 641826
--
foo.txt:NumberOfStreams 13
foo.txt-Flags 40000
--
hand.txt:NumberOfStreams 15
hand.txt-Flags 40004
关于最后一条评论
我根据文档中的这段引文得出了这个答案,当我需要它时,它对我有用了几次,但这个答案没有得到操作人员的验证,并被评论为多余。
the quote from documentation in Remarks Section
However, you cannot use this extension on user-mode dump files, unless you specifically created them with handle information. (You can create such dump files by using the .dump /mh (Create Dump File) command.)
好奇害死猫编辑
在 win10 64 位机器上使用 sysinternals procdump 创建了 3 个转储
使用 64 位调试对象。
将它们全部加载到 windbg 中以查找 Handle type Event
它们都有句柄数据,并且都有对象特定信息。
所以很明显这是一个抛硬币问题或者可能是一个 64 位 32 位奇怪的角落问题可能
无法得出赞成或反对的确凿证据
f:\src\wait>f:\sysint\procdump.exe -mm wait.exe waitmm.dmp
f:\src\wait>f:\sysint\procdump.exe -ma wait.exe waitma.dmp
f:\src\wait>f:\sysint\procdump.exe -mc ffffffff wait.exe waitmc.dmp
f:\src\wait>f:\git\usr\bin\ls -lag *.dmp
-rw-r--r-- 1 197121 7003583 Sep 23 17:47 waitma.dmp
-rw-r--r-- 1 197121 124387 Sep 23 17:47 waitmc.dmp
-rw-r--r-- 1 197121 124369 Sep 23 17:47 waitmm.dmp
f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitmc.dmp
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object specific information
Event Type Manual Reset
Event is Set
Handle 0000000000000008
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65538
Name <none>
Object specific information
Event Type Auto Reset
Event is Waiting
4 handles of type Event
quit:
f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitma.dmp
0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object specific information
Event Type Manual Reset
Event is Set
Handle 0000000000000008
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65538
Name <none>
Object specific information
Event Type Auto Reset
Event is Waiting
4 handles of type Event
quit:
f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitmm.dmp
0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object specific information
Event Type Manual Reset
Event is Set
Handle 0000000000000008
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65538
Name <none>
Object specific information
Event Type Auto Reset
Event is Waiting
4 handles of type Event
quit:
我正在尝试调试转储,我的用户模式 STOPPED_PENDING 服务,只是检查服务停止事件 "MySvcStopEvent" 是否已设置,我得到了事件句柄,试图转储句柄详细信息,
0:002> !handle 0x00000000`00000164 f
Handle 0000000000000164
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 3
PointerCount 785993
Name \BaseNamedObjects\MySvcStopEvent
Object specific information
无法确定事件是否已设置?
只有在转储中存在时才会显示评论对象特定信息
您可能必须使用适当的选项创建转储以确保您查找的信息包含在转储中
这是 Handle Type EVENT 的实时目标显示
0:000> !handle 0 f EVENT
Handle 4
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 32769
Name <none>
Object Specific Information
Event Type Manual Reset
Event is Waiting
Handle c
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Waiting
Handle 3c
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65535
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Set
Handle 40
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65536
Name <none>
Object Specific Information
Event Type Auto Reset
Event is Set
4 handles of type Event
您可以使用 windbg 包中提供的 dumpchk 工具来检查转储,它解析 _MINIDUMP_HEADER 并发出输入 dmp 文件的统计信息 其中 Number OfStreams 或 _MINIDUMP_HEADER 标志指示转储文件中存在的数据量
下面的四个转储文件是用 .dump,.dump /f , .dump /h , .dump/ma 在随机进程上使用 windbg,相关信号被 grepped 并发布
F:\>f:\git\usr\bin\ls.exe -lag *.dmp
-rw-r--r-- 1 197121 7979145 Sep 20 13:09 bar.dmp
-rw-r--r-- 1 197121 7989384 Sep 20 13:10 blah.dmp
-rw-r--r-- 1 197121 9180 Sep 20 13:09 foo.dmp
-rw-r--r-- 1 197121 11198 Sep 20 13:10 hand.dmp
F:\>f:\git\usr\bin\ls.exe -lag *.txt
-rw-r--r-- 1 197121 8612 Sep 20 13:12 bar.txt
-rw-r--r-- 1 197121 22447 Sep 20 13:12 blah.txt
-rw-r--r-- 1 197121 13912 Sep 20 13:11 foo.txt
-rw-r--r-- 1 197121 15458 Sep 20 13:12 hand.txt
F:\>f:\git\usr\bin\grep.exe -ir "Loading.*Dump.*File" -A 1 *.txt
bar.txt:Loading Dump File [F:\bar.dmp]
bar.txt-User Dump File: Only application data is available
--
blah.txt:Loading Dump File [F:\blah.dmp]
blah.txt-User Mini Dump File with Full Memory: Only application data is available
--
foo.txt:Loading Dump File [F:\foo.dmp]
foo.txt-User Mini Dump File: Only registers, stack and portions of memory are available
--
hand.txt:Loading Dump File [F:\hand.dmp]
hand.txt-User Mini Dump File: Only registers, stack and portions of memory are available
F:\>f:\git\usr\bin\grep.exe -ir "Number.*of.*Streams" -A 1 *.txt
blah.txt:NumberOfStreams 17
blah.txt-Flags 641826
--
foo.txt:NumberOfStreams 13
foo.txt-Flags 40000
--
hand.txt:NumberOfStreams 15
hand.txt-Flags 40004
关于最后一条评论
我根据文档中的这段引文得出了这个答案,当我需要它时,它对我有用了几次,但这个答案没有得到操作人员的验证,并被评论为多余。
the quote from documentation in Remarks Section
However, you cannot use this extension on user-mode dump files, unless you specifically created them with handle information. (You can create such dump files by using the .dump /mh (Create Dump File) command.)
好奇害死猫编辑
在 win10 64 位机器上使用 sysinternals procdump 创建了 3 个转储
使用 64 位调试对象。
将它们全部加载到 windbg 中以查找 Handle type Event
它们都有句柄数据,并且都有对象特定信息。
所以很明显这是一个抛硬币问题或者可能是一个 64 位 32 位奇怪的角落问题可能
无法得出赞成或反对的确凿证据
f:\src\wait>f:\sysint\procdump.exe -mm wait.exe waitmm.dmp
f:\src\wait>f:\sysint\procdump.exe -ma wait.exe waitma.dmp
f:\src\wait>f:\sysint\procdump.exe -mc ffffffff wait.exe waitmc.dmp
f:\src\wait>f:\git\usr\bin\ls -lag *.dmp
-rw-r--r-- 1 197121 7003583 Sep 23 17:47 waitma.dmp
-rw-r--r-- 1 197121 124387 Sep 23 17:47 waitmc.dmp
-rw-r--r-- 1 197121 124369 Sep 23 17:47 waitmm.dmp
f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitmc.dmp
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object specific information
Event Type Manual Reset
Event is Set
Handle 0000000000000008
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65538
Name <none>
Object specific information
Event Type Auto Reset
Event is Waiting
4 handles of type Event
quit:
f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitma.dmp
0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object specific information
Event Type Manual Reset
Event is Set
Handle 0000000000000008
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65538
Name <none>
Object specific information
Event Type Auto Reset
Event is Waiting
4 handles of type Event
quit:
f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitmm.dmp
0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65537
Name <none>
Object specific information
Event Type Manual Reset
Event is Set
Handle 0000000000000008
Type Event
Attributes 0
GrantedAccess 0x1f0003:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState,ModifyState
HandleCount 2
PointerCount 65538
Name <none>
Object specific information
Event Type Auto Reset
Event is Waiting
4 handles of type Event
quit: