Windbg and Symbol Files

Asked 15/8, 2013 at 19:52 Answered 27/5, 2015 at 21:43

I have a problem with symbol files. I experimented with the symbol file path and set the path as follows:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols;C:\Users\myuser\Desktop\driver2\objchk_win7_x86\i386

But afterwards I changed it to the following:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols;C:\Users\myuser\Desktop\mydriver\objchk_win7_x86\i386

I changed the driver2 with mydriver in the path: this is the path where the .pdb file for my driver is located. The problem is that .sympath prints the right path as shown below:

kd> .sympath
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;C:\Users\myuser\Desktop\mydriver\objchk_win7_x86\i386
Expanded Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;c:\users\myuser\desktop\mydriver\objchk_win7_x86\i386

But the symbols for the driver are still not found. If I run .reload command, we can see that WinDbg is looking for .pdb in driver2/ directory instead of mydriver/ directory.

kd> .reload /f mydriver.sys
SYMSRV:  c:\symbols\mydriver.pdb\3D655E533B0449A38D7AB0AF637CE9201\mydriver.pdb not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/mydriver.pdb/3D655E533B0449A38D7AB0AF637CE9201/mydriver.pdb not found
SYMSRV:  c:\users\myuser\desktop\mydriver\objchk_win7_x86\i386\mydriver.pdb\3D655E533B0449A38D7AB0AF637CE9201\mydriver.pdb not found
DBGHELP: c:\users\myuser\desktop\driver2\objchk_win7_x86\i386\mydriver.pdb - file not found
*** ERROR: Module load completed but symbols could not be loaded for mydriver.sys
DBGHELP: mydriver - no symbols loaded

I've deleted all the workspaces, closed WinDbg, restarted Windows, but the driver2/ entry is still there: it must be in the default workspace's cache or somewhere. How can I delete the whole personal settings of WinDbg including those caches, so I can restart WinDbg and be gone with the driver2/ path and make it use mydriver/.

I could also solve the problem with renaming the mydriver/ directory back into driver2/, but I don't want to solve the problem like that. I want to understand what's going on and solve it the best I can.

Walkup answered 15/8, 2013 at 19:52 Comment(0)

!sym noisy

will tell you why it did not want to load the pdb. Perhaps you did rebuild your driver and the pdb guid or pdb age does no longer match. If you are sure that you have built the same source files you can force loading of your pdb by

.reload /i /f yourdriver.sys

/i is the magic switch to load also mismatched pdbs. This switch will not load any driver from your symbol server but it will consider only local file paths to load your driver. Also symbol store directories (SRV*) are not considered since there would be many versions to choose from. But if your .sympath directly points to your pdb it will be loaded.

Lundeen answered 27/5, 2015 at 21:43 Comment(1)

/i works for me, in my case, I use windbg 6.2.8299.0 AMD64 version on Windows 7 with SP1 to debug a full-dump file. I'm very sure the .sympath is correct, and I use symchk to verify the .dll and .pdb is matched perfectly. But windbg still refuse to load the pdb. BTW, from windbg help, /i also implies /f even if you have not specify /f flag. – Taut 21/7, 2016 at 9:19

Is the driver originally compiled & built in the driver2 path? What is the location of mydriver.sys?

For example assume I have symbol path 'c:\users\rahulsundar\desktop' set and try to load ntdll.dll, then it displays below error,

0:000> .reload ntdll.dll
DBGHELP: c:\users\rahulsundar\desktop\ntdll.pdb - file not found
DBGHELP: c:\users\rahulsundar\desktop\dll\ntdll.pdb - file not found
DBGHELP: c:\users\rahulsundar\desktop\symbols\dll\ntdll.pdb - file not found
DBGHELP: C:\Windows\SYSTEM32\ntdll.pdb - file not found
DBGHELP: ntdll.pdb - file not found
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
DBGHELP: ntdll - export symbols

Note: Windbg by default searches ntdll.pdb from the same location 'C:\Windows\SYSTEM32'

One way to solve the current issue, from the log its clear that windbg expects pdb file in directory 'c:\users\myuser\desktop\mydriver\objchk_win7_x86\i386\mydriver.pdb\3D655E533B0449A38D7AB0AF637CE9201\mydriver.pdb'.

So manually create directory till 'mydriver.pdb\3D655E533B0449A38D7AB0AF637CE9201' and place pdb file there.

This is just a standard way( binaryfoldername\hashid\pdbfile ) that Windows expects a symbol for a binary.

Darden answered 16/8, 2013 at 14:19 Comment(3)

Hi, yes I can solve the problem like that. I can also solve it by renaming the mydriver to driver2 directory. I first compiled the driver in driver2 directory, then renamed directory to mydriver, delete all files excpect mydriver.c and recompiled. I stopped the driver, deleted it and restart the debugged Windows system; I also restarted debugee system. I think, the problem is that WinDbg saved this path somewhere in cache and I'm interested where; the default workspace view is also changed once the debuggee connects to Windbg, so workspace must be saved somewhere, despite me deleting it. – Walkup 17/8, 2013 at 11:2

Seems like for the driver file the paths are being cumulated. Not sure if its a real bug in windbg or documentation bug. If you suspect it to be a bug in Windbg, you can try installing the latest version of windbg to see if it fixes the issue. As well you can try deleting the appropriate default workspaces(user\kernel\remote etc) and save the one you want as default by File->Save WS as->Default in the appropriate mode(user\kernel\remote) – Darden 19/8, 2013 at 8:29

this might be useful: msdn.microsoft.com/en-us/library/windows/hardware/… – Outlook 7/12, 2013 at 14:2

Better way to solve this - turn on sim noisy and look at path at .reload /f my_driver.sys or add new path to .sympath[+] path/to/pdb and do the same

Ashbey answered 16/3, 2015 at 16:7 Comment(0)

Recommended topics

Hot tags