I opened it with an editor,totally messy.
BTW, in the "Disassembly" view,is it possible to dump all the assembly code? I tried but can only grab a screen of lines
I've been keeping track of your questions. There's context that you should have put in your question, I think you're trying to debug a DirectShow plug-in that you don't have the source code for. Some kind of camera gizmo.
No, opening a .pdb file in a text editor isn't going to show you anything useful. It is binary data. I know you have a relevant .pdb for the plug-in you're working with, you get decent stack traces with named functions. You probably got the .pdb from the Microsoft Symbol server. Reading a .pdb file is the job of the debugger. There are several APIs available to read it yourself, the dbghelp API is the core one.
But it will not show you anything you don't already know from the debugger. The .pdb file is just a database of functions. You got the stripped one, it will never show more than what you see in the call stack window.
Ultimately, this is a chain of XY questions. You keep asking about Y without ever revealing what the real X problem is all about. You'll just get useless answers, like this one, until you tell us about X.
CodeProject: How to Inspect the Contents of a Program Database (PDB) File
Keep in mind though, that those files are for the debugger and not directly for you. At least I don't have the urgent wish of being able to read every possible file format in a text or hex editor.
Bearing in mind #Hans Passant's remarks - I think the question as is deserves an answer, if nothing else then for sake of those arriving here by search.
The shipped tool for PDB inspection is DBH. It is bundled with debugging tools for windows. While admittedly a command line tool (I'm from the GUI generation personally) , it is tremendously rich in features and you'd be hard pressed to find anything it can't do in half a line.
It sounds like what you want is the dumpbin command. Note that this requires the VC tools to be in your PATH; you could either use the appropriate shortcut in the start menu or run %VSxxCOMNTOOLS%\vsvars32.bat, where xx is a mnemonic for the actual version of VC you are using: the easiest way to figure out exactly what environment variable to use is probably to run set and see what variables with such names are actually set in your environment. For instance, on a system with MSVC 2005 Express and MSVC 2008 Express installed, I get this:
C:\code\xemacs-beta\nt>set | grep "VS.*COMNTOOLS"
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
VS90COMNTOOLS=C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\
So, to create a new shell window with the VC 9 (2008) tools added to the path, I can run start "VC 9" "%VS90COMNTOOLS%\vsvars32.bat". (The "VC 9" argument is the title for the new window.)
Anyway, with the VC tools in PATH, we can run such commands as dumpbin /disasm ..\src\temacs.exe > temacs.disasm (except you probably aren't in the nt subdirectory of an xemacs tree, so stick whatever path you want there). This will disassemble the file given, using any appropriate PDB it can find for the symbol names.
What MS calls documentation can be found in the dumpbin MSDN entry (actually, it's a lot better than I remembered it as being -- perhaps I was sore at it for being so uninformative about the /disasm flag in particular), but don't underestimate the usefulness of dumpbin /? -- it may not give as much information, but at least you can see it all on the screen at one time.
Related
I'm trying to do dump analysis using Visual Studio Professional 2017, but when entering the command .natvisreload in the watch-window I get syntax error and there is nothing in the output window. (This seems to mean that the command is not understood)
In order to get me on track of the real problem, I'd like to know an example of another command I can launch in the Watch window: does anybody know another command, starting with a dot, I can launch in the Watch window (in order to distinguish whether the issue is related to the specific command .natvisreload or to the general Watch window)?
"natvis" is an abbreviation for "native visualizer". Used by the unmanaged debugging engine to provide a customized view of a native object. The .natvisreload command is one that only the unmanaged debugging engine can understand. From the comment it is somewhat obvious how this went wrong:
An example of the slug you see when you use File > Open > File to open a minidump for a process that uses managed code. Note the 3 options you have at the upper right to get the debugging started. "Managed Only" only enables the managed debugging engine, "Native Only" for the unmanaged engine, "Mixed" enables both.
You used "Mixed". While that enables both engines, there can be only one active at the same time. Unfortunately it is not always obvious which particular one is in control. Other than the debugger being able to display source code. And a side effect like you discovered here, the ".natvisreload" command goes "huh?" since that is not a command that the managed debugging engine understands.
So one workaround is to use "Native Only".
You can however switch between engines on-the-fly. This normally happens automagically when the debugger lands on a breakpoint. Not an option for dump debugging. The non-intuitive other way is to use the Debug > Windows > Call Stack debugger window. In mixed-mode debugging you see both managed and unmanaged stack frames in the stack, starting with RtlUserThreadStart at the bottom. Double-click one of these frames, like the bottom one, and the debugger switches engines. Note that you don't necessarily have something decent to look at, especially if this was a managed program, and you merely get a machine code dump for the native code. The ".natvisreload" command will however now work as intended.
I have a serious issue, my harddisk crashed yesterday , and i had tons of projects on it .I lost most of them but the ones i recovered are all the debug folders i sent to clients (most of them are desktop applications). I am unable to recover the code for most of the work , but i do have debug folders , my question is is there any way that i can recover my code from them.
I am sure some one you would have gone through it in the past, please help if you have any information regarding this.
Files in the debug folder:Example i make application apple
apple.exe type=application
apple.pdb type=PDBFIle
apple.vshost type=Application
apple.vshost.exe.mainfest type=MANIFEST File
ADDITIONAL INFO:
My laptop hardisk crashed so i am currently using it as a usb drive with another laptop . I had 3 partitions but now i see 4 i,j,k,l . One of them which used to be my D: drive working fine, i see it shows 72 GB free out of 150 GB. Rest of them they are just there no info, when i click them nothing for minutes then it says format drive etc... If you know how to fix that that would be wonderful.
Thank you
You really lucked out with having access to the Debug folders containing your compiled binaries. The fact that you're working in a managed language (C#) means that you can use one of the many .NET decompilers to display the source code that they contain in a readable format. It may not be exactly the same as what you initially typed into Visual Studio, but it will be pretty darn close—way better than can normally be expected in the event of a system crash.
I used to recommend Redgate's .NET Reflector for this task, but they recently decided to eliminate the free version of their decompiler utility and adopted some business practices that I personally disagreed with. Then again, their tools are probably still the best around, so you might consider downloading their 30-day trial to attempt to get your code back. Who knows, you might like it so much that you buy!
If you're a cheapskate like me, or a devotee to truly free software, you can try one of the free alternatives that cropped up after Reflector became not free, like ILSpy, developed by the same people who develop SharpDevelop. Even more alternatives are listed here.
Whichever decompiler utility you choose, download a copy and open its executable. Then from the "File" menu, choose "Open", and navigate to the first compiled .exe from which you want to recover source. The utility will display the name of your application and some metadata about your assembly. From here, you can make sure that you opened the correct file.
In both ILSpy and .NET Reflector, you can click the [+] toggle next to your application's name to expand its listing. You'll see a bunch more expandable items, like References (the DLLs that your application uses), Resources (the resource files compiled into your application), and the namespaces defined in your code. Expanding an individual namespace will show you all of the types defined in that namespace, and expanding a type will show you all of the types, methods, members, etc. defined in that type, and so on down the hierarchy. Clicking on individual items in the source tree to the left will display the decompiled code in the output pane to the right; both ILSpy and .NET Reflector support displaying the code as C#, which should look very readable to you.
For example, using ILSpy to open the ILSpy.exe application itself produces the following output:
You really can't break anything in here, so navigate around, exploring and seeing what all can be recovered, amazed at how well this works. Everything works just as well with DLLs as it does with EXEs.
Then get started copying and pasting...
The next order of business is getting your system stable again. If you had a hard disk crash, you definitely don't want to trust that drive ever again! Run out and buy a new one immediately, wipe it, and reload Windows.
Once you finish with that, you definitely want to get on setting up a source/version/revision control system to use in the future to store your code. All smart developers use this for so many reasons. Find more information with a Google search. There are lots of different options. Which one you pick is not important; the important thing is that you pick one!
It seems there are dozens of debugger and debugging tools that Microsoft produces, which creates a maze of choices and questions concerning which tool to apply, and when. For example, there is windbg - and the debugger built into Visual Studio. Both can access minidumps. Why would I choose one over the other?
Dr. Watson was the default post-mortem crash analysis tool of the past. It has now been replaced with "Problem Reports & Solutions". Which is in turn replaced with IIS Exception Monitor on servers? And perhaps all of this is built on top of "Microsoft CDB Debugger," or perhaps that is a another duplicate tool? ADPlus, yet another one, is built on CDB Debugger. The maze seems to go on endlessly.
Can someone provide a link to a taxonomy or roadmap of all these tools, with comments of which are being deprecated (Dr. Watson?) and what "tool direction" debug students should absorb? I'm sure there are a number of tools and base libraries I've not mentioned here. it would be nice to know the dependencies between them too (such as ADPlus using the CDB Debugger).
I've found this link to be helpful, since it answers some of the questions I'm asking - though the material is dated. Any other resources that give a similarly simple compare / contrast run-down?
There is no difference between CDB and NTSD, other than how they spawn new windows. Choosing when to use Visual Studio over the command line debuggers is sometimes a matter of personal choice, but sometimes the command line is a better tool for the job. Once you get good at using the command line debuggers, you can get things done much more quickly. I suspect there are a few scenarios that remain where you can only debug a specific problem with the command line debugger, but I can't think of any off hand. The third debugger you've missed is kd, which is the kernal debugger. If you want to debug kernal mode stuff (i.e. your device drivers you've written) it's really your only choice.
CDB, NTSD and KD are all part of the debugging tools for Windows, itself part of the DDK. Visual Studio does not depend on the other debugging package and vice-versa.
Watson and the like are not debuggers. They merely observe and report. I suspect the best advice there is use whichever one is appropriate to your problem. I mean, there are lots of tools for all sorts of different MS technologies. E.g. Orca for MSI databases. All of these products are unrelated, often released and maintained by different divisions, etc. As a result, I doubt you'll find a chart showing their relationships since they are so diverse.
I just came back to C++ Builder after 5 or more years away. I seem to remember a nice tool where I could drag its pointer over the GUI of my running application and get lots of info about what was pointed at - handle, size, text, parent, children, etc
IIRC, if the exe include debug info I could also get the actual variable name as used in the source.
Does anyone know what program I am talking about? Thanks
There are several options:
Winspector
This is the program I've used the most of these Spy++ like programs, it has all the features I needed and worked without complaints on my developer machine, it has been quite some time since I've used it though. And the official site seems to be down for some reason ( http://www.windows-spy.com/ ) but luckily you can get a version from softpedia: http://www.softpedia.com/get/Security/Security-Related/Winspector.shtml
WinSpy
I have used this program for debugging, and finding out which messages was sent to different windows, it worked quite well, and was a good alternative to Spy++, besides it is free. You can download it from here: http://www.catch22.net/software/winspy
SpyStudio by Nektra
I have never tried this program but it actuall seems to do what you asks, and it is free. It can be found here: http://www.nektra.com/products/spystudio-api-monitor/
(source: nektra.com)
WinID
From what I've heard WinID should be able to perform much of the same, but I have never tried the program myself. You can download it from here: http://www.dennisbabkin.com/php/download.php?what=WinID this program is not compatible with Windows Vista though (and probably not Windows 7 either).
The challenging option
If there is a bit of a pioneer in you, you might want to create your own utility, although this is most likely not what you want, but if so you can check out these codeproject pages:
http://www.codeproject.com/KB/graphics/screen_capturing.aspx
http://www.codeproject.com/KB/dialog/windowfinder.aspx
These are all a lot like the Spy++ program that came with Visual Studio. Last but not least you might find other programs in this thread: I want Spy++ but I don't have Visual Studio
A very decent effort to revive the beloved but defunct winspector is window detective : http://windowdetective.sourceforge.net/
What you describe in the question sounds like TestComplete. http://www.automatedqa.com/products/testcomplete
If you compile the application as an "open application"(you add a few .pas from TestComplete to the project) then it will use the debug information and you will be able to see private data members of the classes and their value.
I've used minidumps on many game projects over the years and they seem to have about a 50% chance of having a valid call stack. What can I do to make them have better call stacks?
I've tried putting the latest dbghelp.dll in the exe directory. That seems to help some.
Is Visual Studio 2008 or 2010 any better? (I'm still on VS 2005).
The code I use looks like this sample.
One thing you can do to improve the accuracy of call stacks found in dumps is to use a debugger other than Visual Studio -- specifically, use WinDbg or another tool that uses the "Windows Debugger" debugging engine found in dbgeng.dll (as opposed to the "Visual Studio Debugger" debugging engine that Visual Studio uses).
In our experience, WinDbg is 100% reliable in producing good call stacks from the same dumps where Visual Studio produces unusable or wildly inaccurate call stacks. From what I can tell, in cases where an unhandled exception is the source of the crash WinDbg automatically performs the tricky process of reconstructing/recovering the exception callstack, but Visual Studio does not (or cannot?). The two debuggers use different heuristics for interpreting stacks
WinDbg can be daunting at first, so here's my quick guide on how to make it easier or even avoid having to use it directly.
A Mere Mortal's Guide To Extracting Good Callstacks
These are ordered from "fastest/easiest" to "slowest/most cryptic to interpret".
Easiest Option: use DbgDiag from Microsoft
This is a little-known tool that automates a lot of analysis of common problems, and it's simple enough to give to non-programmers or even customers. It's fast and nearly foolproof, and has become my "go to" tool for quickly analyzing an incoming crash dump.
Launch the "DebugDiag Analysis" application
Select the "CrashHangAnalysis" checkbox on the main page
Drag-and-drop your dump into the "Data files" pane on the main page
Click "Start Analysis"
After a few seconds to a few minutes it will spit out a nice .mhtml file containing an analysis of the problem, info about all the related thread, complete call stacks, etc. All hyperlinked and easy to use.
DebugDiag even automates some of the more complicated analysis that is possible but painful in WinDbg (like tracking down which of the 350 threads in your application is responsible for a deadlock).
Note: Chrome will not download or open .mhtml files for security reasons, so you must open in Internet Explorer or Microsoft Edge for it to be usable. This is annoying, and I've filed a request with the DebugDiag team (dbgdiag#microsoft.com) to change the format to plain HTML
Middle option: Install WinDbg as an alternate debugging engine for Visual Studio
Install Visual Studio if it's not yet installed. This needs to be done before the next step.
Install the Windows Driver Kit (WDK)
Launch Visual Studio, and (this part is important!) use the new "File -> Open -> Crash Dump..." option to open the dump. This will debug the crash dump using the Windows Debugger (if you instead drag-and-drop the dump on Visual Studio or use the standard "File -> Open -> File..." option to open the dump, it will debug it using the old Visual Studio debugging engine... so be careful to use the right option).
You should now be able to see the correct call stack and navigate around using the Visual Studio GUI, although some things work differently (the watch windows require using the unfamiliar WinDbg syntax, thread IDs are different, etc). Note: the Visual Studio UI may be very sluggish, especially if many threads are involved and the 'threads' or 'parallel stacks' windows are open.
Hardcore option: Use WinDbg directly
Launch WinDbg.exe
Drag-and-drop your dump into the WinDbg window
Type !analyze -v and press Enter. After a little bit of time WinDbg will spit out a crash call stack, and also its estimation of what the source of the problem is. If you're analyzing a deadlock, you can try !analyze -v -hang and WinDbg will often show you the dependency chain involved.
At this point you may have all the info you need! However, if you then want to examine the process state in the Visual Studio debugger you can take the following additional steps:
Open the crash dump in Visual Studio
Right-click in the callstack window and choose "Go to Disassembly"
Paste the hex address from the top line of WinDbg's output callstack into the "Address" bar of the Disassembly window and press enter. You're now at the location of the crash, looking at the disassembled code.
Right-click in the disassembly window and choose "Go To Source Code" to go to the source code for the location. Now you're looking at the source code at the crash site.
Note: all of the above require having correct symbol server paths configured, otherwise you won't be able to resolve the symbols in the call stacks. I recommend setting the _NT_SYMBOL_PATH environment variable so that it's automatically available to Visual Studio, WinDbg, and DebugDiag.
What's missing from your callstack? Do you have a bunch of addresses that don't resolve to valid function names (ie, 0x8732ae00 instead of CFoo:Bar())? If so, then what you need is to put your .PDBs where your debugger can find them, or set up a symbol server and set the "Symbol Paths" in the right-click context menu of the Modules pane.
We store every .PDB from every binary every time someone checks in a new Perforce changelist, so that when a dump comes back from anyone inside the office or any customer at retail, we have the .PDB corresponding to the version of the game they were running. With the symbol server and paths set, all I have to do is just double-click the .mdmp and it works every time.
Or do you have a call stack that appears to only have one function in it? Like, 0x8538cf00 without anything else above it in the stack? If so, then your crash is actually the stack itself being corrupted. If the return addresses in the backchain have been overwritten, naturally the debugger will be unable to resolve them.
Sometimes also you'll find that the thread that actually emits the minidump is not the one that threw the exception that caused the crash. Look in the Threads window to see if one of the other threads has the offending code in it.
If you are debugging a "Release" build -- that is to say, one compiled with all optimization flags turned on -- you will have to live with the fact that the debugger will have trouble finding local variables and some other data. This is because turning on optimizations means allowing the compiler to keep data on registers, collapse calculations, and generally do a variety of things that prevents data from ever actually being written to the stack. If this is your problem then you'll need to open up the disassembly window and chase the data by hand, or rebuild a debug binary and reproduce the problem where you can look at it.
Turn off Frame Pointer Optimization, if you need stack dumps. Frame pointers are used to explicitly define stack frames. Without them, the debugger has to deduce the location of each frame.
The code to record the minidump is unlikely to be relevant. The main things that a minidump records are module information (for getting symbols) and the full content of all thread stacks. Beyond that basic information (which is always recorded) nothing else matters.
Getting good symbols (including PE files) is crucial for stack walking. More details can be found here: https://randomascii.wordpress.com/2013/03/09/symbols-the-microsoft-way/
I find that Visual Studio is usually reliable at displaying call stacks. It automatically displays the relevant call stack from the exception record, and it makes changing threads easy so that you can see the call stacks of all threads. It does sometimes try to 'hide' details that it thinks might confuse you - whether that is good or bad depends on your skill level.
Windbg defaults to showing the call stack of the code that recorded the crash dump rather than the crashing call stack. Windbg requires that you go ".ecxr" or "!analyze -v" in order to see the crash stack. I find this annoying. Windbg also requires more configuration in order to be useful.
The two debuggers do have different stack walking heuristics. These heuristics are needed, for instance, if you call or return to address zero since there is no unwind information for that address. For 'clean' crashes where the failing instruction is in normal code these heuristics are less important.
The stack walking has almost certainly improved in the last ten years. VS 2015 Community Edition is very capable and is free so you might as well try it.
If you use windbg then you can try some experiments:
!vc7fpo - toggles some of the windbg heuristics.
!stackdbg d, 7, f - turns on windbg stack walk
k1 - walks one level of the stack, spitting diagnostics as controlled by !stackdbg
dds esp - dumps the raw contents of the stack, doing a symbol lookup on each pointer
If you upgrade to VS 2015 and still have problems then it is likely that the stack walking failures are specific to the crashes you are seeing. If a buffer overrun tromps the stack before crashing then the call stack will be irrevocably damaged. Your question has too little information about what failures you are seeing to give a definitive diagnosis. I find the stack displays of both debuggers fairly reliable, but I also usually understand why they sometimes fail and when that happens I can still extract the information that I need.
I dont use minidumps, but rather dump teh stack by "hand" into a logfile
(see www.ddj.com/cpp/185300443 and
How to Log Stack Frames with Windows x64).
I encounter a similar behavior like you do: Sometimes there is a valid call stack, sometimes there is not. In a minor number of cases the stack might be really corrupted. In maybe 1/3 of all cases the installed Exception handler is not called at all! I guess that its somehow a problem of the windows structured exception handling.