Wow64 and Silverlight Dump Analysis
I wrote a complicated form on Silverlight and when I finished writing, I was horrified to find that I had a memory leak somewhere. I didn’t worry, but took a few 3.5 gigabyte dumps and wanted to find out in WinDbg what was really the case, but SOS persistently sent me to any of the teams.
The fact is that Silverlight is x86, so as soon as we load the dump into WinDbg x86, we must clearly say that we will work in 32-bit mode.
Magic word:
! wow64exts.sw
')
Example:
.loadby sos coreclr
.chain
! wow64exts.sw
We continue to work as usual.
Have fun
Microsoft ® Windows Debugger Version 6.12.0002.633 X86
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [D: \ Dumps \ Hang_Mode \ FULLDUMP_HangMode_IEXPLORE.EXE.dmp]
User Mini Dump File with memory
Comment: 'HangMode'
Symbol search path: symsrv * symsrv.dll * c: \ Program Files \ Debugging Tools for Windows (x64) \ symbols * http: //msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time:
System Uptime:
Process Uptime:
................................................ WARNING: rsaenh overlaps cryptsp
....... WARNING: IPHLPAPI overlaps wow64cpu
.WARNING: winnsi overlaps dnsapi
.... WARNING: rtutils overlaps rasman
...
WARNING: authz overlaps PeerDist
...... WARNING: version overlaps apphelp
..WARNING: FWPUCLNT overlaps rasadhlp
.WARNING: AcroIEHelperShim overlaps mswsock
........ WARNING: msls31 overlaps mlang
......... WARNING: winmm overlaps oleacc
...
This dump file is stored in it.
The stored information can be accessed via .ecxr.
(df4.1d60): Wake debugger - code 80000007 (first / second chance not available)
*** WARNING: symbols timestamp is wrong 0x4a5bdf57 0x4a5be125 for wow64cpu.dll
wow64cpu! CpupSyscallStub + 0x9:
00000000`755a2dd9 c3 ret
0: 000> .loadby sos coreclr
0: 000> .chain
Extension DLL search path:
C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ WINXP
Extension DLL chain:
C: \ Program Files (x86) \ Microsoft Silverlight \ 4.0.50401.0 \ sos : image 4.0.50401.0, API 1.0.0, built Thu Apr 01 09:10:00 2010
[path: C: \ Program Files (x86) \ Microsoft Silverlight \ 4.0.50401.0 \ sos.dll]
dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 23:08:26 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ dbghelp.dll]
ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 23:08:31 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ winext \ ext.dll]
exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 23:08:24 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ WINXP \ exts.dll]
uext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 23:08:23 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ winext \ uext.dll]
ntsdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 23:08:08 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ WINXP \ ntsdexts.dll]
0: 000>! Wow64exts.sw
Switched to 32bit mode
The fact is that Silverlight is x86, so as soon as we load the dump into WinDbg x86, we must clearly say that we will work in 32-bit mode.
Magic word:
! wow64exts.sw
')
Example:
.loadby sos coreclr
.chain
! wow64exts.sw
We continue to work as usual.
Have fun
Microsoft ® Windows Debugger Version 6.12.0002.633 X86
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [D: \ Dumps \ Hang_Mode \ FULLDUMP_HangMode_IEXPLORE.EXE.dmp]
User Mini Dump File with memory
Comment: 'HangMode'
Symbol search path: symsrv * symsrv.dll * c: \ Program Files \ Debugging Tools for Windows (x64) \ symbols * http: //msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time:
System Uptime:
Process Uptime:
................................................ WARNING: rsaenh overlaps cryptsp
....... WARNING: IPHLPAPI overlaps wow64cpu
.WARNING: winnsi overlaps dnsapi
.... WARNING: rtutils overlaps rasman
...
WARNING: authz overlaps PeerDist
...... WARNING: version overlaps apphelp
..WARNING: FWPUCLNT overlaps rasadhlp
.WARNING: AcroIEHelperShim overlaps mswsock
........ WARNING: msls31 overlaps mlang
......... WARNING: winmm overlaps oleacc
...
This dump file is stored in it.
The stored information can be accessed via .ecxr.
(df4.1d60): Wake debugger - code 80000007 (first / second chance not available)
*** WARNING: symbols timestamp is wrong 0x4a5bdf57 0x4a5be125 for wow64cpu.dll
wow64cpu! CpupSyscallStub + 0x9:
00000000`755a2dd9 c3 ret
0: 000> .loadby sos coreclr
0: 000> .chain
Extension DLL search path:
C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ WINXP
Extension DLL chain:
C: \ Program Files (x86) \ Microsoft Silverlight \ 4.0.50401.0 \ sos : image 4.0.50401.0, API 1.0.0, built Thu Apr 01 09:10:00 2010
[path: C: \ Program Files (x86) \ Microsoft Silverlight \ 4.0.50401.0 \ sos.dll]
dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 23:08:26 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ dbghelp.dll]
ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 23:08:31 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ winext \ ext.dll]
exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 23:08:24 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ WINXP \ exts.dll]
uext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 23:08:23 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ winext \ uext.dll]
ntsdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 23:08:08 2010
[path: C: \ Program Files (x86) \ Debugging Tools for Windows (x86) \ WINXP \ ntsdexts.dll]
0: 000>! Wow64exts.sw
Switched to 32bit mode
Source: https://habr.com/ru/post/93529/
All Articles