3rd-party program crashes

3rd-party program crashes

Postby Guest » Fri May 05, 2006 8:56 am

Hi

I have a third-party program without source code. It crashes displaying MS box asking to send a report. I add int3 and run under debugger I get:

0:004> kb
ChildEBP RetAddr Args to Child
00b9ffc8 7c9507a8 00000005 00000004 00000001 ntdll!DbgBreakPoint
00b9fff4 00000000 00000000 00000000 00000000 ntdll!DbgUiRemoteBreakin+0x2d

How can I see where the program crashed before?

Thanks
Guest
 

Postby VDO » Fri May 05, 2006 7:27 pm

Use command 'g' until you get first chance/second chance exception
It's important to get second chance exception — for this case you might need to execute 'g' command yet another time. Next - 'kv' command

Also to have the dump saved automatically after a second chance exception:

1. Create a folder where the dump will be stored and give it full control permissions for users or remote desktop users. Here c:\TEMP folder is used as an example.

2. Set the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

to

ntsd -p %ld -e %ld -g -c ".dump /f /u c:\TEMP\new.dmp; q"

3. Whenever there is an exception <...>, a dump will be stored in the TEMP folder. A unique prefix is added to the dump name, for example:

new_2005-02-22_09-53-13-245_0C24.dmp

Note: On some operating systems such as Windows 2003, Windows XP and later you can use /ma switch instead of /f switch to save additional debugging information such as handle data and thread time information:

ntsd -p %ld -e %ld -g -c ".dump /ma /u c:\TEMP\new.dmp; q"

After that load the dump into WinDbg.exe and use '!analyze -v' command
VDO
Site Admin
 
Posts: 549
Joined: Mon May 01, 2006 10:34 am
Location: Dublin, Ireland


Return to User mode debugging

Who is online

Users browsing this forum: No registered users and 1 guest

cron