Not able to proceed with Windbg analysis of AppCrash_w3wp

Question

I am doing a memory dump analysis for AppCrash_w3wp. When I do an !analyze -v I get the following result.

Is there any problem in my symbol setup? Or is this analysis pointing to some actual issue? Could somebody please guide me on how to analyze this further?

====:>

*** WARNING: Unable to verify timestamp for webengine4.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for mscorlib.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\987d450520ea6e815c63db8aecba0761\System.Data.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Data.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Mvc\9f9155f1c13562534f6cb370b0ad8381\System.Web.Mvc.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Web.Mvc.ni.dll
*** ERROR: Module load completed but symbols could not be loaded for System.Web.Mvc.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\cb6d38da3ca9a62afed46123b693899e\System.Web.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Web.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System\4598449d72d7ebbd53952399ed5fc710\System.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.ni.dll
*** WARNING: Unable to verify timestamp for alk_dalkutil64.dll
*** ERROR: Module load completed but symbols could not be loaded for alk_dalkutil64.dll

FAULTING_IP: 
KERNELBASE!RaiseException+39
000007fe`fda8940d 4881c4c8000000  add     rsp,0C8h

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fefda8940d (KERNELBASE!RaiseException+0x0000000000000039)
   ExceptionCode: e0434352 (CLR exception)
  ExceptionFlags: 00000001
NumberParameters: 5
   Parameter[0]: ffffffff80004003
   Parameter[1]: 0000000000000000
   Parameter[2]: 0000000000000000
   Parameter[3]: 0000000000000000
   Parameter[4]: 000007fefa140000

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=0000000001470000 rbx=000000001791d5d0 rcx=0000000001470000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000002
rip=0000000077be186a rsp=000000001791d498 rbp=0000000000000002
 r8=0000000000000000  r9=0000000000000040 r10=0000000000000000
r11=0000000000000286 r12=0000000000000000 r13=000000001791d540
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!ZwWaitForMultipleObjects+0xa:
00000000`77be186a c3              ret

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  w3wp.exe

ERROR_CODE: (NTSTATUS) 0xe0434352 - 

EXCEPTION_CODE: (NTSTATUS) 0xe0434352 - 

EXCEPTION_PARAMETER1:  ffffffff80004003

EXCEPTION_PARAMETER2:  0000000000000000

EXCEPTION_PARAMETER3:  0000000000000000

EXCEPTION_PARAMETER4: 0

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  w3wp.exe

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

MANAGED_STACK: 

EXCEPTION_OBJECT: !pe 103f98b08
Exception object: 0000000103f98b08
Exception type:   System.AccessViolationException
Message:          Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
InnerException:   
StackTrace (generated):

StackTraceString: 
HResult: 80004003

MANAGED_OBJECT: !dumpobj ffb11420
Name:        System.String
MethodTable: 000007fef8886500
EEClass:     000007fef81a3750
Size:        26(0x1a) bytes
File:        C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
String:      
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
0000000000000000  40000aa        8         System.Int32  1 instance                0 m_stringLength
0000000000000000  40000ab        c          System.Char  1 instance                0 m_firstChar
000007fef8886500  40000ac       18        System.String  0   shared           static Empty
                                 >> Domain:Value  0000000002488520:NotInit  0000000002576750:NotInit  <<

EXCEPTION_MESSAGE:  Attempted to read or write protected memory. This is often an indication that other memory is corru

MANAGED_OBJECT_NAME:  SYSTEM.ACCESSVIOLATIONEXCEPTION

MANAGED_STACK_COMMAND:  ** Check field   _remoteStackTraceString **;!do 103f98b08;!do ffb11420

LAST_CONTROL_TRANSFER:  from 000007fefa35565b to 000007fefda8940d

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS_CLR_EXCEPTION

STACK_TEXT:  
00000000`00000000 00000000`00000000 w3wp!Unknown+0x0


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  w3wp!Unknown

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: w3wp

IMAGE_NAME:  w3wp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7afa2

STACK_COMMAND:  ** Check field   _remoteStackTraceString **;!do 103f98b08;!do ffb11420 ; ** Pseudo Context ** ; kb

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_e0434352_w3wp.exe!Unknown

BUCKET_ID:  X64_APPLICATION_FAULT_WRONG_SYMBOLS_CLR_EXCEPTION_w3wp!Unknown

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:wrong_symbols_e0434352_w3wp.exe!unknown

FAILURE_ID_HASH:  {419a5b7f-31d5-d77e-cd0e-fe26c9258bfb}

Followup: MachineOwner

=== Edited on September 25

I have set up an environment variable _NT_SYMBOL_PATH - symsrv*symsrv.dll*C:\Windows\symbols*http://msdl.microsoft.com/download/symbols

I am wondering why isn't it loading all symbols dynamically?

I did a .symfix;.reload I get the prompt for sometime. Then I get a lot of .... on the screen and the regular prompt is back.

Then I did a "!sym noisy" and did ".symfix;.reload" again...

I get the following messages

DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
..
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym
tdll.dll\51FB164A1a9000
tdll.dll - OK
DBGENG:  C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym
tdll.dll\51FB164A1a9000
tdll.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym
tdll.pdb\400F215C54DA404788F84F5C504914952
tdll.pdb already cached
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym
tdll.pdb\400F215C54DA404788F84F5C504914952
tdll.pdb already cached

DBGHELP: ntdll - public symbols  
        C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym
tdll.pdb\400F215C54DA404788F84F5C504914952
tdll.pdb
..............................................................
................................................................
................................................................
................................................................
................................................................
.....
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernel32.dll\51FB167611f000\kernel32.dll - OK
DBGENG:  C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernel32.dll\51FB167611f000\kernel32.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\KERNELBASE.dll\51FB16776b000\KERNELBASE.dll - OK
DBGENG:  C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\KERNELBASE.dll\51FB16776b000\KERNELBASE.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb already cached
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb already cached

DBGHELP: KERNELBASE - public symbols  
        C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb

Not able to proceed with Windbg analysis of AppCrash_w3wp

Answers (1)

Related Questions