Software Diagnostics Library

I believe studying Linux kernel and playing with it will broaden your conceptual understanding of kernel development and issues and you can apply it to Wintel stuff too. I’m not a complete Windows guy as you might think after reading my previous posts. I spent 1.5 years (before joining Citrix) under RedHat Linux writing C++ software quality tools in C++ using Emacs editor (working for Programming Research Ltd www.programmingresearch.com). And I did multi platform (Windows - Linux - Solaris) architecture, design and programming for Boeing Commercial Airplanes Group 6 years ago (when working for the biggest Russian outsourcing company Luxoft www.luxoft.com). Coupled with all this prior knowledge about Linux I’m on my journey to study the latest Linux kernel (2.6) and I would recommend 2 wonderful books I’m reading now:

Linux Kernel Development, 2nd Edition

Understanding Linux Kernel, 3rd Edition

and another fantastic book about Unix internals in general:

UNIX Internals

- Dmitry Vostokov -

Noticed as one engineer was frequently switching between WinDbg and Calc. Forget about using calc.exe during debugging or dump analysis sessions. Save your valuable time. Don’t multiprocess. Use ? and .formats commands:

0:000> ? 2 + 2
Evaluate expression: 4 = 00000004
0:000> .formats 4
Evaluate expression:
  Hex:     00000004
  Decimal: 4
  Octal:   00000000004
  Binary:  00000000 00000000 00000000 00000100
  Chars:   ....
  Time:    Thu Jan 01 00:00:04 1970
  Float:   low 5.60519e-045 high 0
  Double:  1.97626e-323


Now you can do your finance calculations in WinDbg too.

The WinDbg Way!

- Dmitry Vostokov -

If this scenario happens after some event or user action most likely some notification hooks were involved. WinDbg !thread command on the current processor will most likely catch running thread than IdleLoop thread and !process command will show the current process context. Then from thread stack you can make an educated guess which components were likely responsible for that.

To change the current processor when looking at the dump from multiprocessor platform use ~”p”s command where “p” is zero-based processor number, for example, ~1s changes the current processor to the second processor. Remember that every processor has its own thread and process context. If processor has nothing to do it is looping in KiIdleLoop thread which belongs to Idle process.

- Dmitry Vostokov -

The post was updated and can be found here:

http://www.dumpanalysis.org/blog/index.php/2007/08/26/moving-to-kernel-space-updated-references/

- Dmitry Vostokov -

HTML version of selected lecture materials from my forthcoming book is available on my personal web site:

http://www.dumpanalysis.org/blog/index.php/foundations-of-debugging-x86/

Topics available online include:

• Memory, registers and simple arithmetic 
• Number representations and pointers
• Bytes, words, double words and pointers to memory
• Instruction pointer and disassembling a program with pointers
• Memory and stacks
• Frame pointer and local variables
• Function parameters
• Function pointer parameters
• Virtual memory, processes and threads
• Arrays and structures in memory

In addition to x86 (32-bit) the book covers assembler, C/C++ and crash dump analysis on the following platforms: 

• x64 Windows
• Windows Mobile (ARM processors)

It will include an educational version of x86/x64/ARM4 assembler and interpreter written using modern C++ and STL (including UML diagrams of all classes and components) and much more! Although all this bonus stuff is still under development it is actually working, compiling, loading and executing/interpreting small assembly language programs.

I’m also planning to publish an Internet version of this assembly language interpreter to run small educational assembly language programs anytime, anywhere. The latter Citrix-like goal is actually the part of my Masters degree project. 

- Dmitry Vostokov -

During development of one of my projects for Windows Mobile I needed full information about windows on my pocket PC devices. I needed that information gathered in real-time and when I was not connected to my host PC so I couldn’t use remote SPY++ from MS Windows CE tools. The decision was to port existing Citrix WindowHistory tool to Windows CE. It worked well and I tested it on Windows Pocket PC 2003 emulator and on real devices running Windows Mobile 5.0 (Acer n300 and mobile phone Mio A701 both have ARM processors). It should work on any other mobile device powered by ARM/XScale processor.

- Dmitry Vostokov -

Don’t expect me to talk about Netscaler stuff. I’m a Windows guy. It’s started in 1989 when I got PS/2 with 2Mb of memory on board and Windows 2.x as a GUI appliance to an IBM thermal printer. And then suddenly Windows 3.0 appeared and I didn’t have a clue about programming on it (I was an MS DOS guy). Thanks to BBS (some of you probably have never heard about it - it was mini Internet at that time) I got a text file - that wonderful book “Programming Windows” 1st edition written by Charles Petzold and read it twice and being facinated by Windows GUI independence from hardware went straight programming Norton Commander variant. Enough nostalgia. Let’s come back to Citrix and hardware.

I’m a big fan of OSR. Read their articles and bought some hardware from them to learn about USB driver programming, like this one:

This is a real USB device! You connect it via cable to your USB port and you have a button, switches and indicators. Inspired by this device I’m writing a driver which will monitor the health of a Citrix server by lighting appropiate indicators when your IMA service is gone, showing the number of sessions active, etc. And there is a button which could force a server to show a blue screen (in another words force a system dump to do an analysis later - that’s my job in Citrix) if things go beyond control of a Citrix administrator. Something like a magic to me. Stay tuned. 

- Dmitry Vostokov -

Finally Citrix has got its own troubleshooting tool for capturing window messages. It is similar to what SPY++ does but more easy to use especially in a customer environment. Existing tools are useful for developers focusing on specific product where they know its internals or in the process of debugging. Customers and technical support need something different. From my experience, existing tools require too much effort for a customer who sees and tries to use them for the first time. On the other hand technical support needs good traces where nothing has been left out. So I sat down at my 64-bit workstation and spent weekend to develop this lightweight tool to let customers do minimum and record everything and thus avoid usual turnaround in technical support cases requiring capturing messages and at the same time simplify trace analysis (at least for myself). 

While developing this tool I discovered its major feature: ability to capture all messages from 64-bit applications (in addition to messages from 32-bit applications). All existing tools I could find capture messages from 32-bit application only.

You can download MessageHistory for free from Citrix support web site (requires free registration):

MessageHistory

Check out also Citrix WindowHistory for 32-bit and WindowHistory for 64-bit platforms.

Currently I’m developing a presentation/class: “Understanding windows and messages: peering inside Citrix troubleshooting tools and their log files (WindowHistory and MessageHistory)”

Further plans are to develop more tools to track the history of various system events (in addition to windows and messages) and finally develop a toolbar to integrate all of them. 

- Dmitry Vostokov -

Not really new as it was previously called CtxBSOD v2.1 but was renamed to better show its purpose. In addition to renaming I added a command line option to dump a system remotely or from a command line locally without using its GUI interface. The main motivation for me to write this tool was the absence of similar tools for 64-bit Windows. SystemDump can dump a 64-bit server too! 

You can download it form Citrix support web site (requires free registration):

http://support.citrix.com/article/CTX111072

Main features:

• The tool has both GUI and command line interfaces.
• You can type a message/text (or copy it from clipboard) before forcing a memory dump. This message is saved in a dump and a support engineer can read it after loading the dump in WinDbg.exe. This is implemented to encourage writing the symptoms and conditions explaining why the dump has to be forced.
• The tool can stay on top of any window (if you need this to quickly dump the server after a reproduction or during the process of an activity).
• It is supplied with Program Database (PDB) symbols for the driver (32-bit and 64-bit) which is useful when you want to have all symbols present on the bugcheck thread.
• The bugcheck clearly shows that the dump is manually generated.
• The tool can force a memory dump on both 32-bit and 64-bit platforms.
• Before forcing a fatal error on a server, the tool warns about potential damaging consequences: Users are disconnected and all the data which is not saved will be lost. It asks for a confirmation.
• You can specify a period of time (in minutes) when to force a memory dump.

The latter feature is implemented entirely in kernel. Additional command that not covered in the article is

>SystemDump.exe abort

allows you to abort the action if you ran the tool using command line options.

I attached the UML component diagram showing the architecture of this tool. I recently developed a presentation about device drivers architecture and Citrix kernel drivers where I used this tool as one of examples.

- Dmitry Vostokov -

Still playing with WinDbg scripting and applying them to dump analysis. The following script will uncover deadlocks and critical section contention in user mode processes (including services) if you run it against complete memory dump:

$$
$$ List owned critical sections in user processes
$$
r $t0 = nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 = poi(@$t1))
{
    r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
    .process @$t2
    .reload
    !ntsdexts.locks
}

To run it save in a file and use the following command in WinDbg: $$><script.txt 

- Dmitry Vostokov -

I have two devices with Windows Mobile 5.0:

Acer n300

http://global.acer.com/products/pda/n300.htm

and mobile phone Mio A701

http://www.mio-tech.be/en/gps-navigation-products-a701-overview.htm

I bought them for debugging and testing my forthcoming product OpenTask Mobile 5.0 but found yet another use for Dump Analysis.

I frequently consult WinDbg help for ideas. I printed it to an HTML file and split it into 9 parts less then 1Mb each so Pocket IE on my devices can load them. And now I can read the help file while commuting to work, shopping around, walking or simply when my notebook is not accessible. 

- Dmitry Vostokov -

The most common scenarios technical support people encounter when facing the need to create a dump are:

• Heap corruption

http://support.citrix.com/article/CTX104633

the article is applicable to any process, not only to Citrix IMA service

• CPU spikes

http://support.citrix.com/article/CTX106110

• No user dumps saved by Dr. Watson

http://support.citrix.com/article/CTX105888

• Memory leak

http://support.citrix.com/article/CTX106970

the article is applicable to any process, not only to Citrix IMA service

• Need a system dump from remote session? Use SystemDump (to get this tool you need to register on Citrix support web site - this is free) 

http://support.citrix.com/article/CTX111072

• Got correct dump? Use Citrix DumpCheck (to get these utilities you need to register on Citrix support web site - this is free) 

http://support.citrix.com/article/CTX108825 (Explorer extension)

http://support.citrix.com/article/CTX108890 (Command line version)

- Dmitry Vostokov -

I couldn’t find any forum on Internet dedicated solely for dump analysis topics so I created it some time ago.  It is sponsored by me and free for everyone.

Recently I did some file tossing and it is now accessible directrly from www.dumpanalysis.org

- Dmitry Vostokov -

It takes approximately 10 - 30 minutes to process an average 2Gb complete memory dump. After loading couple of dumps I found the following useful features so far:

• You can save analysis tree in a file and open it later for further analysis (but you need to keep dump file too)
• Wait chains might be useful. However the tool reports too many of them (608 in my dump). They are sorted by length so it might be useful in detecting lengthy chains
• It also detects anomalous (corrupt) critical sections in user processes
• It detects deadlocks (you don’t need to enable driver verifier and reboot the system to get a new dump)

I’m currently using this tool with every memory dump I get and will post interesting cases.

- Dmitry Vostokov -

I got a dump with 30 IE processes running and I want to find the only one waiting for a specific function. I know there is one. The following script lists all processes and their stacks (of course, I already opened a log in WinDbg to save that huge amount of output):

$$
$$ List user processes and stacks
$$
r $t0 = nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 = poi(@$t1))
{
    r? $t2 = #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks);
    .process @$t2
    .reload
    !process @$t2
}

- Dmitry Vostokov -

Microsoft has released this tool to help analyze memory dumps. I’m currently evaluating it and post my opinion later. Seems to be pretty cool tool according to its description and PPT presentation which you can download here:

Kernel Memory Space Analyzer

You need to manually copy x86 folder from kktools to your Debugging Tools for Windows folder and run kanalyze.exe from there. Refer to PPT presentation for details.

- Dmitry Vostokov -

Faced with a dilemma: to write or not to write debugging extensions I looked at the possibility to try scripts.

After spending some hours I wrote the final version of my first script which can enumerate processes in a complete memory dump and output their command line.

You need to save the script below in a text file and use the following command to run it from WinDbg command prompt:  $$><script.txt

$$ WinDbg script to get process command line for all processes in complete memory dump
r $t0 = nt!PsActiveProcessHead
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0);
       r $t1 = poi(@$t1))
{
   r? $t2 = #CONTAINING_RECORD(@$t1,
      nt!_EPROCESS, ActiveProcessLinks);
   .process @$t2
   .if (@$peb != 0)
   {
      .catch
      {
         r $t3 = @@c++(@$peb->ProcessParameters)
         r? $t4 =
              @@c++(&((_RTL_USER_PROCESS_PARAMETERS *)
              @$t3)->CommandLine)
         .printf "_EPROCESS: %N Command Line: %msu\n",
          @$t2, @$t4
      }
   }
}

- Dmitry Vostokov -

The following tool I wrote saves historical logs of events in a session (windows, messages, etc):

WindowHistory for 32-bit platforms

WindowHistory for 64-bit platforms

Also forthcoming tools (already written and soon will be published):

WindowHistory CE/Mobile for ARM/X-Scale processors 

MessageHistory for 32-bit and 64-bit platforms

The latter is better than SPY++ because it can spy messages for 64-bit windows and also has been written with support person and customers in mind: 

Watch Citrix Tools for updates (requires free registration)

- Dmitry Vostokov -

Everything about crash dump analysis and debugging on Windows platforms

http://www.dumpanalysis.org/forum

My favourite question is about 8-byte atomic write on 32-bit platform

- Dmitry Vostokov -

CtxBSOD v2.1 has just been published which allows you to crash your computer and embed a message in a dump. Dumps are becoming a universal medium of discourse between customers and support personnel. New plans are for developing DumpChat which will utilize Live debugging techniques

http://support.citrix.com/article/CTX111072

- Dmitry Vostokov -