Windbg dump analysis: what causes error 0x80004002 while asking for handle information?
I'm debugging the memory dump of a process, of which I assume the number of handles becoming too large. When I open the dump in Windbg, I see following error/warning message (I don't know if this is relevant to my question) :
Dir entry 8, HandleDataStream stream has too many elements (0xfefffd > 0x400000)
While launching the Windbg !handle extension command, I see following error message:
0:000> !handle
ERROR: !handle: extension exception 0x80004002.
"Unable to read handle information"
I have already launched that same extension command on other memory dumps of the same process (maybe another version). Hence I don't understand the relevance of most Google results of that error code (something about a wrong interface).
Does anybody know what might cause the mentioned error code and what I can do in order to see the amount of handles in my application dump?
For your information, I'm not interested in every single handle, just the total amount of them.
Edit after first comments
The results of .dumpdebug are the following: (only handle related)
0:000> .dumpdebug
----- User Mini Dump Analysis
MINIDUMP_HEADER:
Version A793 (62F0)
NumberOfStreams 13
Flags 61826
0002 MiniDumpWithFullMemory
0004 MiniDumpWithHandleData
...
Stream 8: type HandleDataStream (12), size 27D7FF98, RVA 101DEF6C
Dir entry 8, HandleDataStream stream has too many elements (0xfefffd > 0x400000)
Stream 9: type CommentStreamW (11), size 000001A0, RVA 000102E0
'
*** "C:\Internal\Tools\Procdump\procdump.exe" -ma -accepteula 18732 C:\Dumps\Own_Application_PID_18732_2019_02_07_11_38_02_777_NOW.dmp
*** Manual dump'
(The results of .dumpdebug and Dumpchk.exe are very similar, I decided not to add them too)
Edited after chdump.py result
Hereby the result (partially) of chdump.py:
MINIDUMP_HEADER EXCLUDING SIGNATURE
version 0xa793
internal version 0x62f0
Number of Streams 0xd
Stream Directory RVA 0x20
CheckSum 0x0
u.TimeDateStamp 2019-02-07 11:45:24
Flags 0x61826
MINIDUMP_DIRECTORY
StreamType DataSize RVA
0x3 0x754 0x434
0x11 0x9cc 0xb88
0x4 0x1588 0x1554
0x13 0x290 0x2adc
0x9 0x12250 0x37fc9f84
0x10 0x6b080 0x37f5ef04
0x7 0x38 0xbc
0xf 0x340 0xf4
0xc 0x27d7ff98 0x101def6c
0xb 0x1a0 0x102e0
0x0 0x0 0x0
0x0 0x0 0x0
0x0 0x0 0x0
_MHDesc2
Handle TypeNameRva ObjectNameRva Attributes GrantedAccess HandleCount PointerCount ObjectInfoRva Reserved0
0x4 0x10490 0x104a8 0x10 0x3 0x7c 0x1ee0c0b 0x0 0x0
0x8 0x104c2 0x0 0x0 0x100020 0x2 0x80001 0x0 0x0
0xc 0x104d0 0x104dc 0x0 0x1 0x2 0x80001 0x0 0x0
0x10 0x1055e 0x1056a 0x0 0x20019 0x2 0x80000 0x0 0x0
0x14 0x105f6 0x0 0x0 0x1f0000 0x2 0x80002 0x0 0x0
0x18 0x1060e 0x0 0x0 0x1f0003 0x2 0x80001 0x0 0x0
0x28 0x1061e 0x1062a 0x0 0xf003f 0x2 0x7ffba 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x30 0x10652 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x34 0x10662 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x38 0x10672 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x3c 0x10682 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x40 0x10692 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x44 0x106a2 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x4c 0x106b2 0x106ca 0x10 0xf 0x44 0xfe9d9c 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x78 0x106f2 0x0 0x0 0x1f0003 0x2 0x7ffc7 0x0 0x0
0x7c 0x10702 0x1070e 0x0 0x20019 0x2 0x7fffe 0x0 0x0
0x80 0x1077a 0x0 0x0 0x100020 0x2 0x40002 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x88 0x10788 0x0 0x0 0x100003 0x2 0x40002 0x0 0x0
0x8c 0x107a0 0x0 0x0 0x100003 0x2 0x40002 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0xb0 0x107b8 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0xb4 0x107c8 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0xb8 0x107d8 0x0 0x0 0x1f0003 0x2 0x7fddf 0x0 0x0
0xbc 0x107f0 0x0 0x0 0x1f0003 0x2 0x7fea0 0x0 0x0
0xc0 0x10808 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0xc4 0x10820 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0xc8 0x10838 0x0 0x0 0x1f0003 0x2 0x7fff6 0x0 0x0
0xcc 0x10850 0x0 0x0 0x1f0003 0x2 0x7fd62 0x0 0x0
0xd0 0x10868 0x0 0x0 0x1f0003 0x2 0x6f1cc 0x0 0x0
0xd4 0x10878 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0xd8 0x10888 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0xdc 0x108a0 0x108ac 0x0 0xf003f 0x2 0x80000 0x0 0x0
0xe0 0x108f6 0x10902 0x0 0x20019 0x2 0x80000 0x0 0x0
0xe4 0x10958 0x10964 0x0 0x20019 0x2 0x80001 0x0 0x0
0xe8 0x10a08 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0xec 0x10a18 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0xf0 0x10a28 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x100 0x10a38 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x104 0x10a48 0x0 0x0 0x1fffff 0x4 0xff501 0x10a5a 0x0
0x108 0x10a96 0x0 0x0 0x1f0000 0x2 0x7fff8 0x0 0x0
0x10c 0x10aae 0x0 0x0 0x1f0003 0x2 0x7fffe 0x0 0x0
0x110 0x10abe 0x0 0x0 0x1f0003 0x2 0x5ebe2 0x0 0x0
0x114 0x10adc 0x0 0x0 0xf00ff 0x2 0x73b3f 0x0 0x0
0x118 0x10b00 0x0 0x0 0x100002 0x2 0x80002 0x0 0x0
0x11c 0x10b10 0x0 0x0 0x1 0x2 0x80002 0x0 0x0
0x120 0x10b3e 0x0 0x0 0x100002 0x2 0x7d72d 0x0 0x0
0x124 0x10b4e 0x0 0x0 0x1 0x2 0x5ebe2 0x0 0x0
0x128 0x10b7c 0x0 0x0 0x1f0003 0x2 0x80000 0x0 0x0
0x12c 0x10b8c 0x0 0x0 0x1f0003 0x2 0x80000 0x0 0x0
0x130 0x10b9c 0x0 0x0 0x1f0003 0x2 0x5671f 0x0 0x0
0x134 0x10bac 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x138 0x10bbc 0x0 0x0 0x1fffff 0x4 0xbf505 0x10bce 0x0
0x13c 0x10c0a 0x0 0x0 0x1f0003 0x2 0x40002 0x0 0x0
0x140 0x10c1a 0x0 0x0 0x1f0003 0x2 0x74432 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x148 0x10c2a 0x0 0x0 0x1f0003 0x2 0x80001 0x0 0x0
0x14c 0x10c3a 0x0 0x0 0x100001 0x2 0x7feb3 0x0 0x0
0x150 0x10c48 0x0 0x0 0x1f0003 0x2 0x80001 0x0 0x0
0x154 0x10c58 0x0 0x0 0x1f0000 0x2 0x4d899 0x0 0x0
0x158 0x10c70 0x0 0x0 0x1f0003 0x2 0x7ffdc 0x0 0x0
0x15c 0x10c80 0x0 0x0 0x1f0003 0x2 0x80000 0x0 0x0
0x160 0x10c90 0x10c9c 0x0 0xf003f 0x2 0x7ffd6 0x0 0x0
0x164 0x10ce6 0x0 0x0 0x1f0003 0x2 0x80000 0x0 0x0
0x168 0x10cf6 0x10d0a 0x0 0x4 0xa3 0x28c0002 0x0 0x0
0x16c 0x10d5a 0x10d66 0x0 0xf003f 0x2 0x7ffc4 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x174 0x10db0 0x10dc0 0x10 0x100001 0x53 0x18003f 0x0 0x0
0x178 0x10e10 0x10e1c 0x0 0x20019 0x2 0x7fff4 0x0 0x0
0x17c 0x10e94 0x10ea0 0x0 0x20019 0x2 0x7fff4 0x0 0x0
0x180 0x10f1c 0x10f30 0x0 0x4 0xa3 0x28c0002 0x0 0x0
0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0
0x188 0x10f80 0x0 0x0 0x120089 0x2 0x7fffc 0x0 0x0
0x18c 0x10f8e 0x0 0x0 0xf0005 0x2 0x80001 0x0 0x0
It does very far: the Python script even stopped, due to a memory error, after having generated ±13 million(!) lines of results.
Thanks in advance
Dominique1 Answer
The Format of Minidump file is almost Documented You can parse the file yourself without having to Rely on windbg
say with python
the Error seems to be Explicit there is some corruption in the _MINIDUMP_DIRECTORY->DataSize
The Max Number of Handles iirc is limited to 10000 handles per process
(browse for Raymond Chens blog old new thing)
so there is must be some hardcoded limit for the stream size which when violated
results in that error
below is a quickly churned python script that takes a dump and dumps the raw data open the dump in hexeditor and peer around or maybe patch to recover part handle information
%%writefile chkdump.py
import sys
import os
import struct
import datetime
scriptname = os.path.split(sys.argv[0])[1]
if (len(sys.argv) != 2 ):
sys.exit("usage python %s path_to_dump" % scriptname)
fin = open(sys.argv[1],'rb')
if( fin.read(4) != 'MDMP' ):
fin.close()
sys.exit("not a windbg dump file no MDMP signature")
print ( "MINIDUMP_HEADER EXCLUDING SIGNATURE")
dmphdr = struct.unpack("<HHiiiiQ",fin.read(28))
print ( "%-20s\t0x%x") % ( "version", dmphdr[0] )
print ( "%-20s\t0x%x") % ( "internal version", dmphdr[1] )
print ( "%-20s\t0x%x") % ( "Number of Streams", dmphdr[2] )
print ( "%-20s\t0x%x") % ( "Stream Directory RVA", dmphdr[3] )
print ( "%-20s\t0x%x") % ( "CheckSum", dmphdr[4] )
print ( "%-20s\t") % ( "u.TimeDateStamp" ),
print ( datetime.datetime.fromtimestamp(dmphdr[5]))
print ( "%-20s\t0x%x") % ( "Flags", dmphdr[6] )
print ("\nMINIDUMP_DIRECTORY ")
print ("%-24s%-24s%-24s") % ("StreamType" , "DataSize","RVA")
streamdata = []
for i in range(0,dmphdr[2],1):
streamdata.insert(i,struct.unpack("<iii",fin.read(12)))
print ("%-24s%-24s%-24s") % ( hex(streamdata[i][0]),
hex(streamdata[i][1]),hex(streamdata[i][2]))
HStreamLoc, = [z for (x,y,z) in streamdata if x == 0xc]
HStreamDSize, = [y for (x,y,z) in streamdata if x == 0xc]
fin.seek(HStreamLoc)
sizeof_HDStream = 16
HDStream = struct.unpack("<iiii",fin.read(sizeof_HDStream))
assert (HDStream[1] * HDStream[2] + sizeof_HDStream ) == HStreamDSize
print ("_MHDesc2")
sizeof_MHDesc2 = 40
HDesc = []
print ("%-14s%-14s%-14s%-14s%-14s%-14s%-14s%-14s%-14s") % ("Handle" ,"TypeNameRva",
"ObjectNameRva","Attributes","GrantedAccess","HandleCount","PointerCount",
"ObjectInfoRva","Reserved0")
for i in range(0,HDStream[2],1):
HDesc.insert(i,struct.unpack("<Qiiiiiiii",fin.read(sizeof_MHDesc2)))
print ("%-14s%-14s%-14s%-14s%-14s%-14s%-14s%-14s%-14s") % ( hex(HDesc[i][0]),
hex(HDesc[i][1]), hex(HDesc[i][2]), hex(HDesc[i][3]),hex(HDesc[i][4]),
hex(HDesc[i][5]), hex(HDesc[i][6]),hex(HDesc[i][7]), hex(HDesc[i][8]))
when executed it would return data like this for handle stream
MINIDUMP_HEADER EXCLUDING SIGNATURE
version 0xa793
internal version 0x61b1
Number of Streams 0xd
Stream Directory RVA 0x20
CheckSum 0x0
u.TimeDateStamp 2019-02-14 02:38:24
Flags 0x61826
MINIDUMP_DIRECTORY
StreamType DataSize RVA
0x3 0x94 0x1dc
0x11 0xcc 0x270
0x4 0xc40 0x33c
0x13 0x388 0xf7c
0x9 0x1100 0x91f0
0x10 0x4f30 0x42c0
0x7 0x38 0xbc
0xf 0xe8 0xf4
0xc 0xb28 0x3798
0xb 0x58 0x294c
0x0 0x0 0x0
0x0 0x0 0x0
0x0 0x0 0x0
_MHDesc2
Handle TypeNameRva ObjectNameRva Attributes GrantedAccess HandleCount PointerCount ObjectInfoRva Reserved0
0x4 0x29b4 0x29cc 0x10 0x3 0x2d 0x54 0x0 0x0
0x8 0x29e6 0x0 0x0 0x100020 0x2 0x3 0x0 0x0
0xc 0x29f4 0x0 0x0 0x100020 0x2 0x3 0x0 0x0
0x10 0x2a02 0x0 0x0 0x100020 0x2 0x3 0x0 0x0
0x14 0x2a10 0x0 0x0 0x1f0000 0x2 0x5 0x0 0x0
EDIT
i have edited the code to print handle , type name , object name and put it here
the results will be like
Handle TypeName ObjectName
0x4 Directory \KnownDlls
0x8 File No ObjName
0xc File No ObjName
0x10 File No ObjName
0x14 ALPC Port No ObjName
0x18 Key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
it should print all the 16.7 million handles in your dump if they exist
blabbUser contributions licensed under CC BY-SA 3.0