windbg finds my application pdb file even when I haven't revealed its path

Question

1. I created a simple demo application (app.exe) in default projects folder under my documents.
2. I copied the app.exe to c:\test\app folder without copying the pdb file.

I run this executable with windbg (File menu > Open executable). I expect it NOT to find the symbol file but it does!

I set sympath to .sympath srv*c:\test\Symbols*https://msdl.microsoft.com/download/symbols

The output for lm is

0:000> lm
start    end        module name
013b0000 013b8000   App      C (private pdb symbols)  c:\users\username\documents\visual studio 2013\Projects\App\Release\App.pdb
0f500000 0f571000   MSVCP120   (private pdb symbols)  c:\test\symbols\msvcp120.i386.pdb\0B631FCA474F4F6FBBE54C497C5821361\msvcp120.i386.pdb
0f740000 0f82e000   MSVCR120   (private pdb symbols)  c:\test\symbols\msvcr120.i386.pdb\16F5E2EF340A453ABC8B8F67DC6FD8082\msvcr120.i386.pdb
76860000 768a7000   KERNELBASE   (pdb symbols)          c:\test\symbols\wkernelbase.pdb\90BA6126FA6340F1ABFAE58DB8B7FB7D1\wkernelbase.pdb
769e0000 76af0000   kernel32   (pdb symbols)          c:\test\symbols\wkernel32.pdb\515F42F53681439D989AC0FC08F7F8F72\wkernel32.pdb
77210000 77390000   ntdll      (pdb symbols)          c:\test\symbols\wntdll.pdb\B5ACAC3B4A6C4515AF416D60366399652\wntdll.pdb

So the executable I am running is in c:\test\app\app.exe, how does it finds its pdb file in my documents folder?

I verified, it is not cached.

Answer 1

Applications contain the path to the PDB file in the executable itself. You can make that visible in various ways:

1. You can verify that e.g. with Sysinternals Strings utility:

   strings app.exe | findstr ".pdb"
   

   will output the full path to the PDB.

2. Another tool (a bit more specific to debugging) to achieve a similar result is DebugDir:

   E:\[...]\DebugDir>DebugDir.exe "E:\[...]\Reporter.exe"
   File: E:\[...]\Reporter.exe
   Number of entries in debug directory: 1
   
   Debug directory entry 1:
   Type: 2 ( CodeView )
   TimeStamp: 5772e493  Characteristics: 0  MajorVer: 0  MinorVer: 0
   Size: 120  RVA: 000ba482  FileOffset: 000b8682
   CodeView format: RSDS
   Signature: {eac36e37-78c5-47c5-bc95-7c6e5896f694}  Age: 1
   PdbFile: E:\[...]\obj\Debug\Reporter.pdb
   

3. In WinDbg itself, use !lmi

   0:009> !lmi Reporter
   [...]
   Debug Data Dirs: Type  Size     VA  Pointer
                CODEVIEW    77, 82cf2,   80ef2 RSDS - GUID: {588CF7EE-FA7C-44F9-850C-382520749BE8}
                  Age: 1, Pdb: E:\[...]\obj\Debug\Reporter.pdb
       Symbol Type: DEFERRED - No error - symbol load deferred
       Load Report: no symbols loaded
   

   Alternatively, first find out the address of the module and then dump the headers (which is quite verbose).

   0:009> lm m Reporter
   start    end        module name
   002c0000 00350000   Reporter   (deferred)             
   
   0:009> !dh 002c0000 
   [...]
   Debug Directories(1)
       Type       Size     Address  Pointer
       cv           77       82cf2    80ef2    Format: RSDS, guid, 1,     E:\[...]\obj\Debug\Reporter.pdb
   

If you don't want the path to be part of your executable, check if there's a compiler/linker setting that turns this feature off, e.g. /pdbpath:none for the Microsoft Visual C++ compiler.

If you don't want the debugger to find the PDB, move the PDB into a different folder instead of the executable.