Old dumps, new extensions
Up to now I’ve been using old Windows 2000 WinDbg extensions to extract information from Windows 2003 and XP crash dumps when their native extensions failed. Today I have found I can do the way around, to extract information from old Windows 2000 crash dumps using WinDbg extensions written for Windows XP and later. Here is an example. WinDbg !stacks command shows the following not really helpful output from Windows 2000 complete memory dump:
2: kd> !stacks
Proc.Thread Thread Ticks ThreadState Blocker
[System]
8.000004 89df8220 0000000 BLOCKED nt!KiSwapThread+0x1b1
8.00000c 89dc1860 0003734 BLOCKED nt!KiSwapThread+0x1b1
8.000010 89dc15e0 0003734 BLOCKED nt!KiSwapThread+0x1b1
8.000014 89dc1360 00003b4 BLOCKED nt!KiSwapThread+0x1b1
8.000018 89dc10e0 0003734 BLOCKED nt!KiSwapThread+0x1b1
8.00001c 89dc0020 0000381 BLOCKED nt!KiSwapThread+0x1b1
8.000020 89dc0da0 00066f6 BLOCKED nt!KiSwapThread+0x1b1
8.000024 89dc0b20 00025b4 BLOCKED nt!KiSwapThread+0x1b1
8.000028 89dc08a0 00025b4 BLOCKED nt!KiSwapThread+0x1b1
8.00002c 89dc0620 0003734 BLOCKED nt!KiSwapThread+0x1b1
8.000030 89dc03a0 0003734 BLOCKED nt!KiSwapThread+0x1b1
8.000034 89dbf020 00025b4 BLOCKED nt!KiSwapThread+0x1b1
8.000038 89dbfda0 00025b4 BLOCKED nt!KiSwapThread+0x1b1
8.00003c 89dbfb20 00007b4 BLOCKED nt!KiSwapThread+0x1b1
8.000040 89dbf8a0 00007b4 BLOCKED nt!KiSwapThread+0x1b1
8.000044 89dbf620 0000074 BLOCKED nt!KiSwapThread+0x1b1
8.000048 89dbf3a0 00007b4 BLOCKED nt!KiSwapThread+0x1b1
...
...
...
This command belongs to different WinDbg extension DLLs (from WinDbg help):
Windows NT 4.0 Unavailable
Windows 2000 Kdextx86.dll
Windows XP and later Kdexts.dll
and I tried newer kdexts.dll with better results:
2: kd> !winxp\kdexts.stacks
Proc.Thread .Thread Ticks ThreadState Blocker
[89df84a0 System]
8.0000c8 89db77c0 0000000 Blocked nt!MiRemoveUnusedSegments+0xf4
8.0000f0 89c8a020 0019607 Blocked cpqasm2+0x1ef0
8.000108 89881900 0000085 Blocked CPQCISSE+0x3ae8
8.000110 8982cda0 000000a Blocked cpqasm2+0x2a523
8.00013c 8974a9a0 00007d7 Blocked rdbss!RxSetMinirdrCancelRoutine+0x3d
8.000148 89747b20 000010a Blocked rdbss!RxIsOkToPurgeFcb+0x3f
8.00014c 89758a80 0019493 Blocked nt!NtNotifyChangeMultipleKeys+0x434
8.0002dc 89620680 000000e Blocked cpqasm2+0x5523
8.0002e0 89620400 00000d2 Blocked cpqasm2+0x584d
8.0004ac 895ae9c0 000955b Blocked srv!SrvOemStringTo8dot3+0xb7
8.0004c0 8937b4e0 0018fea Blocked srv!SrvOemStringTo8dot3+0xb7
8.0004a0 895b09e0 0018fe9 Blocked srv!SrvOemStringTo8dot3+0xb7
8.0004cc 893784e0 0018fe8 Blocked srv!SrvOemStringTo8dot3+0xb7
8.0004d0 893774e0 000955b Blocked srv!SrvOemStringTo8dot3+0xb7
8.0004d4 893764e0 0018fe8 Blocked srv!SrvOemStringTo8dot3+0xb7
8.003d68 87abb580 00000b7 Blocked rdbss!RxSearchForCollapsibleOpen+0x17c
8.002b94 88e4f180 00000b9 Blocked rdbss!RxSearchForCollapsibleOpen+0x17c
[89736940 smss.exe]
[896d3b20 csrss.exe]
178.000180 896c8020 0000012 Blocked ntdll!NtReplyWaitReceivePort+0xb
178.00018c 896c5320 0000012 Blocked ntdll!NtReplyWaitReceivePort+0xb
178.001260 88fbcb20 0000060 Blocked ntdll!NtReplyWaitReceivePort+0xb
178.001268 88fbbda0 0000060 Blocked ntdll!NtReplyWaitReceivePort+0xb
[896c8740 WINLOGON.EXE]
174.00019c 896b7740 0000299 Blocked ntdll!ZwDelayExecution+0xb
174.0001a0 896b6020 00015dd Blocked ntdll!NtRemoveIoCompletion+0xb
174.000f08 8913eda0 00000b0 Blocked ntdll!ZwWaitForMultipleObjects+0xb
174.000f0c 8901b020 00000b0 Blocked ntdll!ZwWaitForSingleObject+0xb
- Dmitry Vostokov @ DumpAnalysis.org -