Home > Citrix, Debugging > Script WinDbg

Script WinDbg

December 19th, 2012 Leave a comment Go to comments
 

For my own Notes but I thought to share it, may be it help someone. I was trying to analyse some dumps yesterday (around 40 GB each)… Orphan sessions issue and found atleast 20+ sessions in two dmps… I concentrated on Alpc wait chains and it was too tiring to find all relevant threads as it is all manual task. However, yesterday I found some scripts and technique that helps to speed up the analysis (Thanks to http://www.dumpanalysis.org & MSDN Blog): -

1. .logopen folderpath\filname.txt – this will open a log file for you and later any command you run will dump the o/p to this file.

2. !process 0 ff – everyone know this command but if you run after above command you can dump all info in a txt file and then use Notepad++ to find ‘Waiting for reply to ALPC Message’ string and it will show you all aplc wait chain.

3. .shell -i – -ci “!process 0 ff” FIND “ALPC Message” – And this is cool.. You can use shell to run any external commands and even do simple things like search. So if you use this after .logopen then it will automatically dump the relevant thread so no more search in Notepad++. (Again you still need some manual work as most of the ALPCs are normal and supposed to be there)…

.shell [Options] [ShellCommand]

.shell -i InFile [-o OutFile [-e ErrFile]] [Options] ShellCommand

4. You can use some scripts also to run more than one command and automate analysis e.g. to find thread that has max User time (documented in Dmitry’s blog – good alternative of !runaway and manual work) -
r $t0 = 0
!for_each_thread “r $t1 = dwo( @#Thread + @@c++(#FIELD_OFFSET(nt!_KTHREAD, UserTime))); .if(@$t1 > @$t0) {r $t0 = @$t1; r $t2 = @#Thread}”
.echo “The largest UserTime value:”? @$t0
!thread @$t2 ff
Copy above code in a text file and name it as test.vbs. To run it from Windbg : – $$><C:\test.vbs (replace with full file location)

I was searching for some way to automate script to query thread that has maximum running time (Ticks) e.g.
THREAD fffffa8021f716e0 Cid 04f0.0560 Teb: 000007fffffdc000 Win32Thread: fffff900c0188c20 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa8021f71aa8 Semaphore Limit 0×1
Waiting for reply to ALPC Message fffff8a003a8d030 : queued at port fffffa8052428540 : owned by process fffffa80220feb30
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa801ec452e0 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 4103 Ticks: 6596206 (1:04:35:01.473)

But found that Ticks are calculated dynamically – http://www.dumpanalysis.org/blog/index.php/2007/07/22/crash-dump-analysis-patterns-part-19/ – As such, Windbg has its own scripting language (?) so small scripts can be written easily to automate some of the work – .foreach, .if, .else, .elseif, .for, .while, .do, etc.

  1. No comments yet.
  1. No trackbacks yet.