Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NTDLL symbol issue

2,021 views
Skip to first unread message

Matt

unread,
Feb 10, 2009, 5:29:07 PM2/10/09
to
Hi,

I am using WINDBG 6.11 to debug both the kernel and a user mode
process at the same time. I am having issues loading symbols (even
export) for NTDLL. The host machine is Vista x64 SP1. The target
machine is Vista x86 SP1. The following commands are executed when I
am broken within the process in question (filesystest.exe).

Any ideas?

Thanks,
Matt

1: kd> lm
start end module name
...
777c0000 778e7000 ntdll (no symbols)
...

1: kd> .reload /user
Loading User Symbols
.*** WARNING: Unable to verify checksum for filesystest.exe
DBGHELP: filesystest - private symbols & lines
C:\Program Files\Debugging Tools for Windows (x64)\sym
\filesystest.pdb\B762A51136B740C49381BA0A8E65AA488\filesystest.pdb
...
SYMSRV: \\symbols\symbols: not available
DBGENG: C:\Windows\system32\ntdll.dll image header does not match
memory image header.
DBGENG: C:\Windows\system32\ntdll.dll - Couldn't map image from disk.
DBGHELP: No debug info for ntdll.dll. Searching for dbg file
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym
\ntdll.dbg\4791A7A6127000\ntdll.dbg not found
SYMSRV: C:\Program Files\Debugging Tools for Windows (x64)\sym
\ntdll.dbg\4791A7A6127000\ntdll.dbg not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntdll.dbg/4791A7A6127000/ntdll.dbg
not found
DBGHELP: .\ntdll.dbg - file not found
DBGHELP: .\dll\ntdll.dbg - path not found
DBGHELP: .\symbols\dll\ntdll.dbg - path not found
DBGHELP: ntdll.dll missing debug info. Searching for pdb anyway
DBGHELP: Can't use symbol server for ntdll.pdb - no header information
available
DBGHELP: ntdll.pdb - file not found
*** ERROR: Module load completed but symbols could not be loaded for
ntdll.dll
DBGHELP: ntdll - no symbols loaded
DBGHELP: kernel32 - public symbols
C:\Program Files\Debugging Tools for Windows (x64)\sym
\kernel32.pdb\093FA0AF6A7B4CE9B12506584036EC882\kernel32.pdb

Yuhong Bao

unread,
Feb 10, 2009, 6:01:03 PM2/10/09
to
You need to copy ntdll.dll from the target to the host and set image file
path to where you copied it to.

"Matt" wrote:

> Hi,
>
> I am using WINDBG 6.11 to debug both the kernel and a user mode
> process at the same time. I am having issues loading symbols (even
> export) for NTDLL. The host machine is Vista x64 SP1. The target
> machine is Vista x86 SP1. The following commands are executed when I
> am broken within the process in question (filesystest.exe).
>
> Any ideas?
>
> Thanks,
> Matt
>
> 1: kd> lm
> start end module name

> ....


> 777c0000 778e7000 ntdll (no symbols)

> ....


>
> 1: kd> .reload /user
> Loading User Symbols

> ..*** WARNING: Unable to verify checksum for filesystest.exe


> DBGHELP: filesystest - private symbols & lines
> C:\Program Files\Debugging Tools for Windows (x64)\sym
> \filesystest.pdb\B762A51136B740C49381BA0A8E65AA488\filesystest.pdb

> ....

Yuhong Bao

unread,
Feb 10, 2009, 6:01:01 PM2/10/09
to

"Matt" wrote:

> Hi,
>
> I am using WINDBG 6.11 to debug both the kernel and a user mode
> process at the same time. I am having issues loading symbols (even
> export) for NTDLL. The host machine is Vista x64 SP1. The target
> machine is Vista x86 SP1. The following commands are executed when I
> am broken within the process in question (filesystest.exe).
>
> Any ideas?
>
> Thanks,
> Matt
>
> 1: kd> lm
> start end module name

> ....


> 777c0000 778e7000 ntdll (no symbols)

> ....


>
> 1: kd> .reload /user
> Loading User Symbols

> ..*** WARNING: Unable to verify checksum for filesystest.exe


> DBGHELP: filesystest - private symbols & lines
> C:\Program Files\Debugging Tools for Windows (x64)\sym
> \filesystest.pdb\B762A51136B740C49381BA0A8E65AA488\filesystest.pdb

> ....

Matt

unread,
Feb 10, 2009, 6:16:25 PM2/10/09
to
On Feb 10, 3:01 pm, Yuhong Bao <yuhongbao_...@hotmail.com> wrote:
> You need to copy ntdll.dll from the target to the host and set image file
> path to where you copied it to.
>

I have never had to do this in the past. Did something change that
makes NTDLL special in this regard? Is this in the documentation
anywhere?

Matt

unread,
Feb 10, 2009, 6:21:11 PM2/10/09
to

This fixes the problem. Thanks. I would still like to understand why I
have to do this now for NTDLL?

Don Burn

unread,
Feb 10, 2009, 6:20:06 PM2/10/09
to
That is the stupidest thing I have ever heard of on this forum. Sorry, the
DLL does not contain the symbols, the PDB does.

--
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply


"Yuhong Bao" <yuhong...@hotmail.com> wrote in message
news:A5EBB0EA-7DC8-47B7...@microsoft.com...

Yuhong Bao

unread,
Feb 10, 2009, 11:59:01 PM2/10/09
to

"Don Burn" wrote:

> That is the stupidest thing I have ever heard of on this forum. Sorry, the
> DLL does not contain the symbols, the PDB does.

The problem here is that the DLL contains the header info needed to find the
PDB.

Matt

unread,
Feb 11, 2009, 11:08:55 AM2/11/09
to
>
> The problem here is that the DLL contains the header info needed to find the
> PDB.

Can someone explain why this is the case for NTDLL? In the past when I
did this type of debugging I never needed to copy NTDLL over...

pat styles [microsoft]

unread,
Feb 11, 2009, 11:45:50 AM2/11/09
to
Hello Matt.

Do a "!lmi ntdll.dll". I'll bet you find that it is paged out.

.pat styles [microsoft]

"Matt" <mattkl...@yahoo.com> wrote in message
news:179e26b5-9647-4b66...@h16g2000yqj.googlegroups.com...

0 new messages