Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 30 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
30
Dung lượng
0,94 MB
Nội dung
Dumping Processes Without Breaking Them 631
DUMPING PROCESSES WITHOUT BREAKING THEM
We can do it on any Windows system after Windows 2000 without installing any
additional tools like Userdump or WinDbg. And a process won’t be interrupted while its
memory dump is being saved and will continue to work. We can use the following com-
mand:
ntsd -pvr -p 'PID' -c ".dump /ma /u process.dmp; q"
PID is a decimal process ID we can get from Task Manager, for example.
Note: on x64 system to dump a 32-bit process (shown as *32 in Task Manager)we
need to use NTSD from \Windows\SysWOW64 folder (page 633). On Windows Vista,
NTSD is no longer included but it can be found in Debugging Tools for Windows package.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
632 PART 11: The Origin of Crash Dumps
USERDUMP.EXE ON X64
If we install the latest Microsoft user mode process dumper on x64 Windows we
would see both x86 and x64 folders.
One advice here: do not dump 32-bit applications and services (shown as *32 in
Task Manager) using userdump.exe from x64 folder: use userdump.exe from x86 folder.
32-bit application runs in WOW64 emulation layer on x64 Windows and that emulation
layer is itself native 64-bit process so x64 userdump.exe saves that emulation layer and
not the original 32-bit application. If we open that dump file in WinDbg we would see
WOW64 thread stacks and not thread stacks from our original 32-bit application.
In summary, on x64 Windows
to save a memorydump file of a 64-bit application we can use:
x64\userdump.exe
\Windows\System32\ntsd.exe
64-bit version of WinDbg.exe
to save a memorydump file of a 32-bit application use:
x86\userdump.exe
\Windows\SysWOW64\ntsd.exe
32-bit WinDbg.exe
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
NTSD on x64 Windows 633
NTSD ON X64 WINDOWS
If we need to attach NTSD to a process on x64 Windows and to save a memory
dump file we should remember that there are two versions of NTSD: x86 (32-bit) and
x64. The former is located in \Windows\SysWOW64 folder and should be used for
attaching to 32-bit applications and services. For explanation why you need different
versions of NTSD please refer to the first picture in Dumps, Debuggers and Virtualiza-
tion (page 516).
If we use WinDbg for that purpose we should install both 32-bit and 64-bit ver-
sions.
If we want to install NTSD or WinDbg as a default postmortem debugger we
should use Wow6432Node registry hive:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\AeDebug
Debugger = ntsd -p %ld -e %ld -g -c ".dump /ma /u c:\TEMP\new.dmp; q"
Please refer to the following Citrix support articles explaining and describing in
more detail how to set NTSD and WinDbg as default postmortem debuggers:
How to Set NTSD as a Default Windows Postmortem Debugger
(http://support.citrix.com/article/CTX105888)
How to Set WinDbg as a Default Windows Postmortem Debugger
(http://support.citrix.com/article/CTX107528)
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
634 PART 11: The Origin of Crash Dumps
NEED A DUMP? COMMON USE CASES
The most common scenarios technical support people encounter when facing the
need to create a dump file are:
Heap corruption
http://support.citrix.com/article/CTX104633
the article is applicable to any process.
CPU spikes
http://support.citrix.com/article/CTX106110
No user dumps saved by Dr. Watson
http://support.citrix.com/article/CTX105888
Memory leak
http://support.citrix.com/article/CTX106970
the article is applicable to any process.
Need a system dump from a remote session? Use SystemDump (page 646)
http://support.citrix.com/article/CTX111072
Got correct dump? Use Citrix DumpCheck
http://support.citrix.com/article/CTX108825 (Explorer extension)
http://support.citrix.com/article/CTX108890 (Command line version)
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Memory DumpAnalysis Using Excel 635
PART 12: TOOLS
MEMORY DUMPANALYSIS USING EXCEL
Some WinDbg commands output data in tabular format so it is possible to save
their output into a text file, import it to Excel and do sorting, filtering, and graph
visualization. Some commands from WinDbg include:
!stacks 1 - Lists all threads with Ticks column so we can sort and filter threads
that had been waiting for no more than 100 ticks, for example.
!irpfind - Here we can create various histograms, for example, IRP distribution
based on [Driver] column.
The following graph depicts thread distribution in PID - TID coordinates on a busy
multiprocessor system with 25 user sessions and more than 3,000 threads:
WinDbg scripts offer the possibility to output various tabulated data via .PRINTF:
0:000> .printf "a\tb\tc"
a b c
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
636 PART 12: Tools
TESTDEFAULTDEBUGGER.NET
Sometimes there are situations when we need to test exception handling to see
whether it works and how to get dumps or logs from it. For example, a customer reports
infrequent process crashes but no crash dumps are saved. Then we can try some
application that crashes immediately to see whether it results in error messages and/or
saved crash dumps. This was the motivation behind TestDefaultDebugger pack-
age. Unfortunately it contains only native applications and we also needed to test .NET
CLR exception handling and see what messages it shows in an environment. This is a
simple program in C# that creates an empty Stack object and then calls its Pop method
which triggers “Stack empty” exception:
The updated package now includes TestDefaultDebugger.NET.exe and can be
downloaded from Citrix support web site: http://support.citrix.com/article/CTX111901
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Cons of Symbol Server 637
CONS OF SYMBOL SERVER
Symbol servers are great. However I found that in crash dumpanalysis the ab-
sence of automatically loaded symbols sometimes helps to identify a problem or at least
gives some directions for further research. It also helps to see which hot fixes or service
packs for a product were installed on a problem computer. The scenario I use some-
times when I analyze crash dumps from product A is the following:
1. Set up WinDbg to point to Microsoft Symbol Server
2. Load a crash dump and enter various commands based on the issue. Some OS
or product A components become visible and their symbols are unresolved.
3. From unresolved OS symbols I’m aware of the latest fixes or privates from
Microsoft
4. From unresolved symbols of the product A and PDBFinder tool I determine the
base product level and this already gives me some directions.
5. I add the base product A symbols to symbol file path and continue my analysis.
6. If unresolved symbols of the product A continue to come up I use PDBFinder
tool again to find corresponding symbols and add them to symbol file path. By
doing that I’m aware of the product A hot fix and/or service pack level.
7. Also from PDBFinder tool I know whether there are any updates to the
component in question.
Of course, all of this works only if we store all PDB files from all our fixes and ser-
vice packs in some location(s) with easily identified names or abbreviations, for
example, PRODUCTA\VER20\SP31\FIX01. Adding symbols manually helps to be focused
on components, gives attention to some threads where they appear. We might think it
is a waste of time but it only takes very small percentage of time especially if we look at
the memorydump for a couple of hours.
What is PDBFinder tool? This is a program I developed to find right symbol files
(especially for minidumps). It scans all locations for PDB or DBG files and adds them to a
binary database. Next time we run PDBFinder tool it loads that database and we can
find PDB or DBG file location by specifying module name and its date. We can also do a
fuzzy search by specifying some date interval. If we run it with -update command line
option it will build the database automatically, useful for scheduling weekly updates.
You can download it from http://support.citrix.com/article/CTX110629
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
638 PART 12: Tools
STRESSPRINTERS: STRESSING PRINTER AUTOCREATION
Printer drivers are great source of crash dumps especially in Citrix and Microsoft
terminal services environments. Bad printer drivers crash or hang spooler service
(spoolsv.exe) when multiple users connect to a server.
Most of bad drivers were designed and implemented for use in a single
user environment without considering multithreading in mind. Some bad drivers display
a dialog box every time the printer is created and because this is done on a server side
users cannot dismiss it unless spooler service is configured to interact with the desktop
and an administrator sees the dialog box. Some drivers are linked to a debug run-time
library and every exception brings up a dialog effectively hanging the thread and some-
times the whole spooler service if there was heap corruption, for example.
Therefore before allowing terminal services users to use certain printers it is
good to simulate multiple users trying to create particular printers to determine bad
drivers and other printer components. Originally Citrix had very popular command line
AddPrinter tool for this purpose and it has been replaced by StressPrinters tool where I
designed and implemented GUI to set various options, coordination of multiple
AddPrinter command line tools launched simultaneously with different parameters and
overall log file management. We can even export settings to a file and import it on
another server. The tool also has 64-bit executables to test printer autocreation on x64
Windows.
The tool detects spooler crashes (if spoolsv.exe suddenly disappears from a
process list) so we can check for crash dumps saved if we set up a default postmortem
debugger (Dr. Watson or NTSD). If we see the progress bar hanging for a long time then
we can dump the spooler service using Microsoft userdump.exe to check for any stuck
threads and resource contention.
You can read documentation and download this tool from Citrix support:
StressPrinters for 32-bit and 64-bit platforms
http://support.citrix.com/article/CTX109374
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
InstantDump (JIT Process Dumper) 639
INSTANTDUMP (JIT PROCESS DUMPER)
Techniques utilizing user mode process dumpers and debuggers like Microsoft
userdump.exe, NTSD or WinDbg and CDB from Debugging Tools for Windows are too
slow to pick up a process and dump it. We need either to attach a debugger ma-
nually, run the command line prompt or switch to Task Manager. This deficiency was the
primary motivation for me to use JIT (just-in-time) technology for process dumpers. The
new tool, InstantDump, will dump a process instantly and non-invasively in a moment
when we need it. How does it work? We point to any window and press hot key.
InstantDump could be useful to study hang GUI processes or to get several
dumps of the same process during some period of time (CPU spiking case or memory
leak, for example) or just dump the process for the sake of dumping it (for curiosity).
The tool uses tooltips to dynamically display window information.
Here is the short user guide:
1. The program will run only on XP/W2K3/Vista (in fact it will not load on
Windows 2000).
2. Run InstantDump.exe on 32-bit system or InstantDump64.exe on x64 Win-
dows. If we attempt to run InstantDump.exe on x64 Windows it will show this message
box and quit:
3. InstantDump puts itself into task bar icon notification area:
4. By default, when we move the mouse pointer over windows, the tooltip
follows the cursor describing the process and thread id and process image path (we can
disable tips in Options dialog box):
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
640 PART 12: Tools
5. If we hold Ctrl-RightShift-Break for less than a second then the process (which
window is under the cursor) will be dumped according to the settings for external
process dumper in the options dialog (accessible via task bar icon right mouse click):
The saved dump name will be (in our Calculator window case):
calc.exe_9f8(2552)_22-17-56_18-Feb-2007.dmp
There is no NTSD in Vista so we have to use another user mode dumper, for
example, install Microsoft userdump.exe and specify the following command line in
Options dialog:
userdump.exe %d %s
or resort to WinDbg or CDB command line.
The tool can be downloaded from here:
http://www.dumpanalysis.org/downloads/InstantDump.zip.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
[...]... latest memorydump file or copying it to an ftp server All actions are fully configurable and can be enabled/disabled Here is the screenshot of the main window: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 644 PART 12: Tools DUMPDEPENDS There are many cases where we need to dump several processes simultaneously and complete memorydump is not an option DumpDepends tool dumps... userdump.exe) On x64 it will distinguish between 32bit and 64-bit processes and dump them accordingly Command line option will also be available Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Dump Monitor Suite 645 DUMP MONITOR SUITE Following the announced Troubleshooting Tool Ideas database Ramzy Mansour from Citrix Technical Support came up with a brilliant idea about Dump. .. module name where crash happened DumpDepends: - Integrated and enhanced version of SystemDump which allows to dump dependent processes Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 646 PART 12: Tools SYSTEMDUMP It was previously called CtxBSOD v2.1 but was renamed to better show its purpose In addition to renaming I added a command line option to dump a system remotely or from... that time SystemDump can dump a 64-bit server too! You can download it form Citrix support web site: http://support.citrix.com/article/CTX111072 Main features: The tool has both GUI and command line interfaces We can type a message/text (or copy it from clipboard) before forcing a memorydump This message is saved in a dump file and a support engineer can read it after loading the dump file in WinDbg.exe... force a memorydump on both 32-bit and 64-bit platforms Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark SystemDump 647 Before forcing a fatal error on a server, the tool warns about potential damaging consequences: users are disconnected and all the data which is not saved will be lost It asks for a confirmation We can specify a period of time (in minutes) when to force a memory. .. based on severity and specific processes Additionally Dump Monitor Suite includes the following components (some of them already exist): DumpChecks: - Enhanced and improved version of Citrix DumpCheck Explorer extension and its command line version DumpProperties: - New Explorer extension (Properties dialog) which shows various data extracted from a dump, like process name, module list, whether heap checking... a CAB file There are several options: Dump all processes Dump important services (Terminal, IMA, CTXXMLSS, Printing, Spooler, SVCHOST) Dump all processes from the given session ID (additionally including children and important services if needed) Dump an individual process (optionally including children and important services) The tool will use external process dumpers in noninvasive manner (NTSD by... Obviously Waiting Thread can wait only for one completion port Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 656 PART 13: Miscelleneous SYMBOL FILE WARNINGS I started using new WinDbg 6.8.4.0 and found that it prints the following message twice when I open a process dump or a complete memorydump where the current context is from some user mode process: 0:000> *** *** ***... option to attach a postmortem debugger and save a crash dump: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 660 PART 13: Miscelleneous If we choose the recommended option we get the following dialog showing the path where a minidump file was temporarily stored: We need to leave this dialog open if we want to open the crash dump or copy it to another location otherwise report... http://support.citrix.com/article/CTX111901 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark DumpAlerts 643 DUMPALERTS The tool monitors folders where dumps can be saved including Dr Watson, a folder specified when NTSD is set as a default debugger and so on It then alerts a user, an administrator or a software vendor whenever a new dump file is saved: Icon in System Tray changes its color from green to red Popup .
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Memory Dump Analysis Using Excel 635
PART 12: TOOLS
MEMORY DUMP ANALYSIS USING.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
InstantDump (JIT Process Dumper) 639
INSTANTDUMP (JIT PROCESS DUMPER)
Techniques