By: Crash Dump Analysis » Blog Archive » Debugging the Debugger (16-bit)

Crash Dump Analysis » Blog Archive » Debugging the Debugger (16-bit) — Fri, 16 Apr 2010 22:39:32 +0000

[…] it looks like WinDbg double debugging is much more robust despite it bigger file size (debug.exe is […]

By: Dmitry Vostokov

Dmitry Vostokov — Thu, 11 Dec 2008 21:45:51 +0000

Two years ago when I wrote this post I didn’t know that

By: rr

rr — Thu, 11 Dec 2008 16:56:15 +0000

i dont believe you dont know either ctrl+p enter in cdb or .dbgdbg command in windbag

0:002> ~*k;.shell -ci “version” findstr “command”

0 Id: 880.81c Suspend: 1 Teb: 7ffde000 Unfrozen
ChildEBP RetAddr
0006cf24 7c90e306 ntdll!KiFastSystemCallRet
0006cf28 7c80c8d8 ntdll!ZwReleaseSemaphore+0xc
0006cf3c 020bf9e8 kernel32!ReleaseSemaphore+0×14
0006cf94 0102acd0 dbgeng!DebugClient::ExitDispatch+0xd8
0006cfa4 01027915 windbg!UpdateEngine+0×30
0006cfac 01027a0f windbg!FinishCommand+0×15
0006cfd0 01014994 windbg!AddStringCommand+0xef
0006cfe8 01012569 windbg!CmdExecuteCmd+0xa4
0006d044 01018f77 windbg!WinCommand::OnNotify+0×469
0006d1a8 77d48709 windbg!WinBase::BaseProc+0xc87
0006d1d4 77d487eb USER32!InternalCallWinProc+0×28
0006d23c 77d4b743 USER32!UserCallWinProcCheckWow+0×150
0006d278 77d4b7ab USER32!SendMessageWorker+0×4a5
0006d298 74e8abfa USER32!SendMessageW+0×7f
0006d4d0 74e4fe1d RICHED20!CW32System::SendMessage+0×3d
0006d50c 74e50d60 RICHED20!CTxtWinHost::TxNotify+0xd0
0006ddf4 77d48709 RICHED20!RichEditWndProc+0×19b
0006de20 77d487eb USER32!InternalCallWinProc+0×28
0006de88 77d489a5 USER32!UserCallWinProcCheckWow+0×150
0006dee8 77d489e8 USER32!DispatchMessageWorker+0×306

1 Id: 880.5b8 Suspend: 1 Teb: 7ffdd000 Unfrozen
ChildEBP RetAddr
00d7ff98 7c90d85c ntdll!KiFastSystemCallRet
00d7ff9c 7c9279d4 ntdll!NtDelayExecution+0xc
00d7ffb4 7c80b50b ntdll!RtlpTimerThread+0×47
00d7ffec 00000000 kernel32!BaseThreadStart+0×37

# 2 Id: 880.8e4 Suspend: 1 Teb: 7ffda000 Unfrozen
ChildEBP RetAddr
00f6d238 02141299 ext!analyze
00f6d2c4 021414d9 dbgeng!ExtensionInfo::CallA+0×2e9
00f6d454 021415a2 dbgeng!ExtensionInfo::Call+0×129
00f6d470 0213feb1 dbgeng!ExtensionInfo::CallAny+0×72
00f6d8e8 02181698 dbgeng!ParseBangCmd+0×661
00f6d9d8 02182b29 dbgeng!ProcessCommands+0×508
00f6da1c 020c9049 dbgeng!ProcessCommandsAndCatch+0×49
00f6deb4 020c92aa dbgeng!Execute+0×2b9
00f6dee4 010283bf dbgeng!DebugClient::ExecuteWide+0×6a
00f6df84 0102883b windbg!ProcessCommand+0xff
00f6ffa0 0102aabc windbg!ProcessEngineCommands+0×8b
00f6ffb4 7c80b50b windbg!EngineLoop+0×3dc
00f6ffec 00000000 kernel32!BaseThreadStart+0×37
command line: ‘F:\windbgwithdbgengsym\cdb.exe -server npipe:icfenable,pipe=cdb_
pipe -p 2176′ Debugger Process 0×8EC
.shell: Process exited
0:002>

the crashdump i was looking at while i posted this

BugCheck 35, {85e14008, 0, 0, 0}

*** WARNING: Unable to verify timestamp for HDAudBus.sys
*** ERROR: Module load completed but symbols could not be loaded for HDAudBus.sys
Probably caused by : HDAudBus.sys ( HDAudBus+13bb0 )

Followup: MachineOwner
———

kd> .dbgdbg
Debugger spawned, connect with
“-remote npipe:icfenable,pipe=cdb_pipe,server=PRV”

kd> !analyze -v
[…]

NO_MORE_IRP_STACK_LOCATIONS (35)
A higher level driver has attempted to call a lower level driver through
the IoCallDriver() interface, but there are no more stack locations in the
packet, hence, the lower level driver would not be able to access its

Comments on: Debugging the Debugger

By: Crash Dump Analysis » Blog Archive » Debugging the Debugger (16-bit)

By: Dmitry Vostokov

By: rr