Channel 9

Channel 9 is a community. We bring forward the people behind our products and connect them with those who use them. We think there is a great future in software and we're excited about it. We want the community to participate in the ongoing conversation. This is the heart of Channel 9. We talk about our work but listen to the customer.



Defrag Tools #167 - Debugging User Mode Crash Dumps Redux | Defrag Tools

In this episode of Defrag Tools, Andrew Richards and Chad Beeder use Debugging Tools for Windows (WinDbg) to determine the root cause of various application crashes which have occurred on Andrew's computer. We use Sysinternals ProcDump to capture the dumps.While debugging, we take a side trip into configuring colors for Compressed and Encrypted files in Windows Explorer, and use Sysinternals Process Monitor to determine why the debugger was getting an Access Denied when loading the PDE Debugger Extension.We did a similar investigation in these two episodes:

  • Defrag Tools #135 - Debugging User Mode Crash Dumps Part 1
  • Defrag Tools #136 - Debugging User Mode Crash Dumps Part 2
We cover how to install the Debugging Tools for Windows in this episode:
  • Defrag Tools #131 - Windows 10 SDK
Get the Sysinternals tools from We use:
  • Sysinternals ProcDump
  • Sysinternals Process Monitor
Get the PDE debugger extension from the Defrag Tools OneDriveGet your Symbol Path to the Microsoft Public Symbol Server:
  • Via Environment Variable
    setx /m _NT_SYMBOL_PATH SRV*C:\My\Sym*
  • In the Debugger
    .sympath SRV*C:\My\Sym*
To collect dumps of crashes on your own machine, install ProcDump as the Postmortem (AeDebugger) debugger:    md c:\dumps
    procdump.exe -ma -i c:\dumps On any dump (user or kernel), you can run automated analysis to view the issue:    !analyze -vDebugging Cheat Sheet
  • c0000005 is an Access Violation - use .ecxr & k
  • c000027b is a Stowed Exception (Store Apps) - use !pde.dse
  • e0434352 is a CLR Exception - use !
  • e0697282 is a C++ Exception - use .ecxr & k
  • 80000003 is a Breakpoint - use !analyze -v
  • When typing a decimal number, prefix it "0n"
  • When typing a hexadecimal number, prefix it "0x" (the default prefix)
Common Debugger Commands.exr -1
  • View the Exception Code and the Exception Parameters
  • Number looking like C0xxxxxx and 80xxxxxx are HRESULTs (Error Codes)
  • Number looking like 7FFFxxxxxxxx are usually code (assembler) addresses
!address <number>
  • Display the address information - Commited/Reserved/Free, Image/Mapped/Private
  • Used to determine if a number is code or data.
ln <address>
  • List Nearest address
  • Displays the symbol at or near the address
  • Used to determine if a number is code or data.
  • Change the debugging context to the point of the exception (rather than being at the Windows Error Reporting context)
  • View the registers at the current context. (.ecxr produces the same output)
  • View the call stack
lmvm <module>
  • View loaded module verbosely with a mask
  • View a module's details, including folder, timestamp, description, copyright, product/file version
|  (Vertical Bar or Pipe character)
  • View the executable's path (e.g. c:\windows\notepad.exe)
  • Get the description of an Error Code. Best at describing System Error Codes.
  • Get the description of an Error Code. Good at describing HRESULTs (80xxxxxx and C0xxxxxx)
  • Scrape the current thread for evidence (symbols, structures, strings, etc.)
.formats <number>
  • Displays the number in various formats.
  • Easy way of working out if a number is actually ASCII text, or a date/time
  • Display a CLR Exception.
  • If there is an Inner Exception, click on the link to view it.
.cordll -u & .cordll -l
  • If SOS isn't loaded, try to do an unload and load of the CLR support.
  • View the Process Environment Block (Modules, Command Line, Environment Variables, etc.)
  • View the current Thread's Environment Block (Stack Range, Last Error Code, Last Status Code, etc.)
  • Get Last Error
  • Display the Last Error Code and Last Status Code of the current thread
  • Clear the screen.
  • Force a reload (download) of symbols for the modules on the current stack.
.reload /f
  • Force a full reload (download) of symbols for the modules on the current stack.
 Store ApplicationsTo view the currently installed Store Applications and their version use:Registry Editor (regedit.exe)
  • HKEY_CURRENT_USER\SOFTWARE\Classes\ActivatableClasses\Package
  • Get-AppxPackage


 29 August 2016  56m