Windbg: USER mode dump, windows event is set or not

Question

Windbg: USER mode dump, windows event is set or not

I am trying to debug dump, my USER mode STOPPED_PENDING service, just checking whether service stop event "MySvcStopEvent" is Set or Not, I got event handle, tried to dump handle details,

0:002> !handle  0x00000000`00000164 f
Handle 0000000000000164
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   3
  PointerCount  785993
  Name          \BaseNamedObjects\MySvcStopEvent
  Object specific information

Not able to figure out whether event set or not?

windbg

usermode

asked on Stack Overflow Sep 19, 2019 by

user3664223 • edited Sep 19, 2019 by

Neitsa

1 Answer

As Commented Object Specific Information will be displayed only if they are present in the dump
you may have to create the dump using appropriate options to make sure the info you seek is included in the dump

here is a live target display for Handle Type EVENT

0:000> !handle 0 f EVENT
Handle 4
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  32769
  Name          <none>
  Object Specific Information
    Event Type Manual Reset
    Event is Waiting
Handle c
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  65537
  Name          <none>
  Object Specific Information
    Event Type Auto Reset
    Event is Waiting
Handle 3c
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  65535
  Name          <none>
  Object Specific Information
    Event Type Auto Reset
    Event is Set
Handle 40
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  65536
  Name          <none>
  Object Specific Information
    Event Type Auto Reset
    Event is Set
4 handles of type Event

you can use the dumpchk tool that is provided in the windbg package to check the dumps it parses the _MINIDUMP_HEADER and emits statistics of the input dmp file among which the Number OfStreams or _MINIDUMP_HEADER flags indicate the amount of data that is present in the dump file

the four dump files below are created with .dump,.dump /f , .dump /h , .dump/ma using windbg on a random process and the relevant signals grepped and posted

F:\>f:\git\usr\bin\ls.exe -lag *.dmp
-rw-r--r-- 1 197121 7979145 Sep 20 13:09 bar.dmp
-rw-r--r-- 1 197121 7989384 Sep 20 13:10 blah.dmp
-rw-r--r-- 1 197121    9180 Sep 20 13:09 foo.dmp
-rw-r--r-- 1 197121   11198 Sep 20 13:10 hand.dmp

F:\>f:\git\usr\bin\ls.exe -lag *.txt
-rw-r--r-- 1 197121  8612 Sep 20 13:12 bar.txt
-rw-r--r-- 1 197121 22447 Sep 20 13:12 blah.txt
-rw-r--r-- 1 197121 13912 Sep 20 13:11 foo.txt
-rw-r--r-- 1 197121 15458 Sep 20 13:12 hand.txt

F:\>f:\git\usr\bin\grep.exe -ir "Loading.*Dump.*File" -A 1 *.txt
bar.txt:Loading Dump File [F:\bar.dmp]
bar.txt-User Dump File: Only application data is available
--
blah.txt:Loading Dump File [F:\blah.dmp]
blah.txt-User Mini Dump File with Full Memory: Only application data is available
--
foo.txt:Loading Dump File [F:\foo.dmp]
foo.txt-User Mini Dump File: Only registers, stack and portions of memory are available
--
hand.txt:Loading Dump File [F:\hand.dmp]
hand.txt-User Mini Dump File: Only registers, stack and portions of memory are available

F:\>f:\git\usr\bin\grep.exe -ir "Number.*of.*Streams" -A 1 *.txt
blah.txt:NumberOfStreams 17
blah.txt-Flags           641826
--
foo.txt:NumberOfStreams 13
foo.txt-Flags           40000
--
hand.txt:NumberOfStreams 15
hand.txt-Flags           40004

regarding the last comment

I based that answer on this quote from the documentation and it worked for me a few times when I needed it but the answer wasn't validated by the op and was commented to be superfluous.

the quote from documentation in Remarks Section

However, you cannot use this extension on user-mode dump files, unless you specifically created them with handle information. (You can create such dump files by using the .dump /mh (Create Dump File) command.)

Curiosity always kills the cat EDIT

created 3 dumps using sysinternals procdump on a win10 64 bit machine
using 64 bit debuggee.
loaded them all in windbg to look for Handle type Event
all of them have handle data and all of them have object specific information.
so obviously this is a coin toss problem or probably a 64 bit 32 bit weird corner case issue maybe
no conclusive evidence for pro or con could be derived

f:\src\wait>f:\sysint\procdump.exe -mm wait.exe waitmm.dmp
f:\src\wait>f:\sysint\procdump.exe -ma wait.exe waitma.dmp
f:\src\wait>f:\sysint\procdump.exe -mc ffffffff wait.exe waitmc.dmp


f:\src\wait>f:\git\usr\bin\ls -lag *.dmp
-rw-r--r-- 1 197121 7003583 Sep 23 17:47 waitma.dmp
-rw-r--r-- 1 197121  124387 Sep 23 17:47 waitmc.dmp
-rw-r--r-- 1 197121  124369 Sep 23 17:47 waitmm.dmp


f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitmc.dmp

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64

0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  65537
  Name          <none>
  Object specific information
    Event Type Manual Reset
    Event is Set
Handle 0000000000000008
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  65538
  Name          <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting

4 handles of type Event
quit:

f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitma.dmp


0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  65537
  Name          <none>
  Object specific information
    Event Type Manual Reset
    Event is Set
Handle 0000000000000008
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  65538
  Name          <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting

4 handles of type Event
quit:


f:\src\wait>cdb -c "!handle 0 f Event;q" -z waitmm.dmp


0:000> cdb: Reading initial command '!handle 0 f Event;q'
Handle 0000000000000004
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  65537
  Name          <none>
  Object specific information
    Event Type Manual Reset
    Event is Set
Handle 0000000000000008
  Type          Event
  Attributes    0
  GrantedAccess 0x1f0003:
         Delete,ReadControl,WriteDac,WriteOwner,Synch
         QueryState,ModifyState
  HandleCount   2
  PointerCount  65538
  Name          <none>
  Object specific information
    Event Type Auto Reset
    Event is Waiting

4 handles of type Event
quit:

answered on Stack Overflow Sep 20, 2019 by

blabb • edited Sep 23, 2019 by

blabb

User contributions licensed under CC BY-SA 3.0