Crash Dump Analysis Patterns (Part 65)
Not My Version is another basic pattern of DLL Hell variety. It is when we look at the component timestamps and paths and realize that that one of the modules from the production environment is older than we had during development and testing. The lmft WinDbg command will produce the necessary output. If there are many modules we might want to create a CAD graph (Component Age Diagram) to spot anomalies. Component version check is one of the basic troubleshooting and system administration activities that will be fully illustrated in the forthcoming book “Crash Dump Analysis for System Administrators and Support Engineers” (ISBN-13: 978-1-906717-02-5). Here is one example (module start and end load addresses are removed for visual clarity):
0:000> kL
Child-SP RetAddr Call Site
00000000`0012fed8 00000001`40001093 MyDLL!fnMyDLL
00000000`0012fee0 00000001`40001344 2DLLs+0×1093
00000000`0012ff10 00000000`773acdcd 2DLLs+0×1344
00000000`0012ff60 00000000`774fc6e1 kernel32!BaseThreadInitThunk+0xd
00000000`0012ff90 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
0:000> lmft
module name
MyDLL C:\OLD\MyDLL.dll Wed Jun 18 14:49:13 2004
user32 C:\Windows\System32\user32.dll Thu Feb 15 05:22:33 2007
kernel32 C:\Windows\System32\kernel32.dll Thu Nov 02 11:14:48 2006
ntdll C:\Windows\System32\ntdll.dll Thu Nov 02 11:16:02 2006
2DLLs C:\2DLLs\2DLLs.exe Thu Jun 19 10:46:44 2008 (485A2B04)
uxtheme C:\Windows\System32\uxtheme.dll Thu Nov 02 11:15:07 2006
rpcrt4 C:\Windows\System32\rpcrt4.dll Tue Jul 17 05:21:15 2007
lpk C:\Windows\System32\lpk.dll Thu Nov 02 11:12:33 2006
oleaut32 C:\Windows\System32\oleaut32.dll Thu Dec 06 05:09:35 2007
usp10 C:\Windows\System32\usp10.dll Thu Nov 02 11:15:03 2006
ole32 C:\Windows\System32\ole32.dll Thu Nov 02 11:14:31 2006
advapi32 C:\Windows\System32\advapi32.dll Thu Nov 02 11:11:35 2006
gdi32 C:\Windows\System32\gdi32.dll Thu Feb 21 04:40:51 2008
msvcrt C:\Windows\System32\msvcrt.dll Thu Nov 02 11:13:37 2006
imm32 C:\Windows\System32\imm32.dll Thu Nov 02 11:13:15 2006
msctf C:\Windows\System32\msctf.dll Thu Nov 02 11:13:42 2006
This pattern should be checked when we have instances of Module Variety and, especially, Duplicated Module. Note that this pattern can also easily become an anti-pattern when applied to an unknown component: Alien Component.
- Dmitry Vostokov @ DumpAnalysis.org -
October 9th, 2008 at 4:45 pm
[…] NotMyDLL module time stamp we identified Not My Version pattern because we expected much later […]
April 23rd, 2009 at 10:00 pm
[…] the hang happens after printing we detect old printer drivers in the module list (certainly not my version of the environment used for application […]
August 11th, 2009 at 3:04 pm
[…] check its data using lmv WinDbg command and find out that it is old and needs to be updated. But we don’t stop our investigation here. The fact that ServiceA […]
October 12th, 2009 at 7:08 pm
[…] from the initial coupled pair where nothing was found before. The timestamp of that component was old enough (lmv command) to warrant more attention to it and contact its […]
October 20th, 2009 at 1:05 pm
[…] runtime unless we enable Application Verifier. Looking at DllB version data we see that it is the old component that needs to be […]
October 20th, 2009 at 10:59 pm
[…] from Google search we can find that there is newer version available (variant of Not My Version pattern) and even some indication on various forums that the older ones had problems with CPU resource […]
November 16th, 2009 at 4:33 pm
[…] is a hardware counterpart of Not My Version pattern. Some problems manifest themselves on different hardware not used at the time of the […]
June 7th, 2010 at 11:50 pm
[…] at DriverA timestamp we notice it is much older than expected and Google search points to similar cases (but not for virtualized systems) where it was […]