Unable to get W2k Symbolic file for windbg debugging

I am using XP and I have some minidumps from W2k. The W2K version is at May 06 2005. I would not load W2k symbol file. I can load the older version of W2K symbolic file from microsoft symbolic server. I cannot format the stack trace. I try to use sympath and reload. I still cannot get symbolic file. I cannot analysis my friend's minidump properly. Any advice is appreciate.

.sympath srv*c:\websymbols*http://msdl.microsoft.com/download/symbols
.reload

Microsoft (R) Windows Debugger Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [I:\PD\Minidump\W2K\Dumps\Mini082605-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\websymbols*http://msdl/microsoft.com/download/symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x804814c0
Debug session time: Fri Aug 26 12:04:05.624 2005 (GMT+8)
System Uptime: not available
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {c0000005, 1, 0, 1}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000001, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000001, Parameter 1 of the exception

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.
MODULE_NAME: nt
FAULTING_MODULE: 80400000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 427b58bb
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx "
FAULTING_IP:
+1
00000001 ?? ???

EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000001

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
00000001

CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x1E
LAST_CONTROL_TRANSFER: from 00000000 to 8042eeda

STACK_TEXT:
ba9581a4 00000000 c0000005 00000001 00000000 nt+0x2eeda

STACK_COMMAND: .bugcheck ; kb
FAILED_INSTRUCTION_ADDRESS:
+1
00000001 ?? ???

FOLLOWUP_NAME: MachineOwner
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------

kd> lm tn
start end module name
80062000 80076100 hal hal.dll Fri Mar 21 10:04:40 2003 (3E7A7338)
80400000 8059cb40 nt ntoskrnl.exe Fri May 06 19:44:59 2005 (427B58BB)
a0000000 a018ee40 win32k win32k.sys Sat Feb 19 08:28:34 2005 (42168832)

cpc2004

 

I'm not even sure if this is possible but when I get home I'll fire off an email to an expert and let you know what he suggests. It will be a few hours though.

 

Just a quick update. Email sent this morning. Probably have an answer waiting when I get home or else tomorrow some time. I'll post it when I get it.

 

The trick with minidumps is that you must analyze them on the machine they were generated on. They do not have the headers for the DLLs to let the symbols be pulled down correctly.

So, in order for you to get a goot stack, you will need to look at it on your friends W2k machine (or at least have him dump out the stuff you are interested in). From what i can tell, looks like you will have a null EIP, so you are going to need to run a DDS ESP to hand rebuild the stack

 

Thanks Joe.

cpc2004 - that was my expert so, what he said.

 

Hi Joe and Newt,

Thanks for your reply. This problem is only occurs at W2K Version 2195 (Service Pack 4). It seems that Microsoft does not have the symbolic file for this version.

I can decode the stack trace of XP but the internal format of stack trace of W2K is different to XP. Do you know how to decode the stack trace of W2K?

Format of XP stack trace
+00 address of next stack trace 8013ef74
+04 RetAddr fe551aa1
+08 1st Arg to child ff690269
+0C 2nd Arg to child 00000002
+10 3rd Arg to child fe5620d2

I don't have problem to format the stack trace of minidumps from XP and W2K3.

 

its not that simple, unfortunatly. There can be several different stack frame formats as of w2k and higher.

+00 address of next stack trace 8013ef74
+04 RetAddr fe551aa1
+08 1st Arg to child ff690269
+0C 2nd Arg to child 00000002
+10 3rd Arg to child fe5620d2


This isnt lined up correctly. 8013ef74 isnt a stack frame, its probably the return address to NTOSKRNL. My recommendation is to play 'go fish' with the DDS command against the ESP address and see if you can make some sense out of it that way.