Re: AD+ crash logs and .dmps Part II
From: John Alderson (jalderson@nospam.adelphia.net)
Date: 09/05/02
- Next message: Rich Benack [MS]: "Re: Terminal Services b Broken with updates?"
- Previous message: Reverend Brad: "URLSCAN and W3SVC logs..."
- In reply to: Tom Chisholm: "AD+ crash logs and .dmps Part II"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "John Alderson" <jalderson@nospam.adelphia.net> Date: Wed, 4 Sep 2002 20:12:22 -0400
"Tom Chisholm" <tom@webnw.com> wrote in message
news:#szsq8DVCHA.3884@tkmsftngp12...
> Thanks for the feedback on my previous posting. At the risk of being a
pest,
> I have a couple more questions:
>
> After running our dump on IIS in Hang mode, a number of files are
produced,
> one of which is called:
>
>
PID-1568__DLLHOST.EXE__IIS_Out-Of-Process_Pooled_Applications__Date_09-03-20
> 02__Time_14-14-47PM.log
>
> One of the processes this file reports on is a proprietary .dll called
> "cychmck.dll." This a .dll provided by an online payment verification
> service. Here is the output:
>
>
> 0x0013e0b8: C:\WINNT\System32\cychmck.dll
> Base 0x03f20000 EntryPoint 0x03f36df6 Size 0x0004e000
> Flags 0x00284004 LoadCount 0x00000001 TlsIndex 0x00000000
> LDRP_IMAGE_DLL
> LDRP_ENTRY_PROCESSED
> LDRP_PROCESS_ATTACH_CALLED
> LDRP_IMAGE_NOT_AT_BASE
>
> Questions:
>
> 1. What does "LDRP_IMAGE_NOT_AT_BASE" mean? I don't have a symbol
installed
> for this dll in the c:\WINNT\SYMBOLS folder. Furthermore, in the output
> above, the terms "Base," "Flags," "entrypoint," "Loadcount," "Size,"
> "TlsIndex," "LDRP," etc,--what do they mean? I realize this is a big
> question; thanking anyone in advance for answering it.
>
> 2. What is the best tool for viewing and analyzing .dmp files?
>
>
> Thanks for your time,
>
> Tom
>
>
Tom,
The best tool for looking at the memory dump files that AD+, cdb, userdump,
drwtsn32, et al. create is WinDBG. Since you have AD+, you most likely also
have WinDBG installed in the same location. The version you want to make
sure you use is 6.0.17.0.
Now, as far as getting valuable info out of it, that's a much more difficult
subject. The Debugger docs have some basic info but overall, understanding
of the OS and the process being debugged is really essential to getting any
significant information. If the exe is yours, then you have a good idea of
how it works and so can follow along. If not, then that's where your
understanding of OS functions needs to take over. There are no cookie
cutter methods for this kind of work.
Another skill that really helps is understanding of the x86 architecture and
assembly. I recommend grabbing the Intel Architecture manuals in PDF format
from Intel's site. You can start with Volume 1, Chapter 6 I believe which
details the formation and usage of the stack. There are numerous references
to Volume 3 also, where individual topics are covered in more detail. Also,
look for old articles by Matt Pietrek in MSDN. Finally, you can grab a book
by John Robbins called Debugging Applications.
Last, understand symbols and their role. Use the Microsoft symbol server if
possible for Windows 2000 and beyond. Proper symbols are essential for the
stack walker routines. Compiler optimizations will obscure stack
boundaries. This can be worked around manually though.
John Alderson
- Next message: Rich Benack [MS]: "Re: Terminal Services b Broken with updates?"
- Previous message: Reverend Brad: "URLSCAN and W3SVC logs..."
- In reply to: Tom Chisholm: "AD+ crash logs and .dmps Part II"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
