Dump All Strings from .NET 1.1 Memory Dump in WinDbg


I Have a .NET 1.1 memory dump I'm trying to analyze it, and while I can load .NET 1.1 SOS.dll fine, the problem is the SOS extension is missing a lot of commands. Unable to use SOS.dll from later .NET framework as I get this error message:

Failed to load data access DLL, 0x80004005
Verify that 1) you have a recent build of the debugger (6.2.14 or newer)
            2) the file mscordacwks.dll that matches your version of mscorwks.dll is 
                in the version directory
            3) or, if you are debugging a dump file, verify that the file 
                mscordacwks_<arch>_<arch>_<version>.dll is on your symbol path.
            4) you are debugging on the same architecture as the dump file.
                For example, an IA64 dump file must be debugged on an IA64

You can also run the debugger command .cordll to control the debugger's
load of mscordacwks.dll.  .cordll -ve -u -l will do a verbose reload.
If that succeeds, the SOS command should work on retry.

If you are debugging a minidump, you need to make sure that your executable
path is pointing to mscorwks.dll as well.

And as far as I can tell there is no mscordacwks DLL in .NET 1.1 (unless it has different name)

Normally I would use this command to dump all strings:

.foreach (obj {!dumpheap -type System.String -short}) {.printf "\n%mu",${obj}+0xc}

However this doesn't work as dumpheap does not have the -short option in .NET 1.1. The only cmds available are:

0:000> !sos.help
SOS : Help
COMState             | List COM state for each thread
ClrStack             | Provides true managed stack trace, source and line numbers.
                       Additional parameters: -p[arams] -l[ocals] -r[egs] -a[ll].
DumpClass <addr>     | Dump EEClass info
DumpDomain [<addr>]  | List assemblies and modules in a domain
DumpHeap [-stat] [-min 100] [-max 2000] [-mt 0x3000000] [-type <partial type name>] [-fix] [start [end]] | Dump GC heap contents
DumpMD <addr>        | Dump MethodDesc info
DumpMT [-MD] <addr>  | Dump MethodTable info
DumpModule <addr>    | Dump EE Module info
DumpObj <addr>       | Dump an object on GC heap
DumpStack [-EE] [-smart] [top stack [bottom stack] | -EE only shows managed stack items.
DumpStackObjects [top stack [bottom stack]
DumpVC <mt> <addr>   | Dump a value class object
EEHeap [-gc] [-win32] [-loader] | List GC/Loader heap info
EEStack [-short] [-EE] | List all stacks EE knows
EEVersion            | List mscoree.dll version
FinalizeQueue [-detail]     | Work queue for finalize thread
GCInfo [<MD>] [IP]   | Dump GC encoding info for a managed method
GCRoot <addr>        | Find roots on stack/handle for object
IP2MD <addr>         | Find MethodDesc from IP
Name2EE <module name> <item name> | Find memory address of EE data given a class/method name
ObjSize [<addr>]     | Find number of bytes that a root or all roots keep alive on GC heap.
ProcInfo [-env] [-time] [-mem] | Display the process info
RWLock [-all] <addr> | List info for a Read/Write lock
SyncBlk [-all|#]     | List syncblock
ThreadPool           | Display CLR threadpool state
Threads              | List managed threads
Token2EE  <module name> <mdToken> | Find memory address of EE data for metadata token
u [<MD>] [IP]        | Unassembly a managed code

The output of dumpheap is like this:

0:000> !dumpheap -type System.String
 Address       MT     Size
07291164 031342d8       28
072911dc 031342d8       32
072911fc 031342d8       32
0729121c 031342d8       20
07291268 031342d8       40
07291290 031342d8       76
072912dc 031342d8       32
072912fc 031342d8       84
07291350 031342d8       80
072913a0 031342d8      148

total 2140 objects
      MT    Count TotalSize Class Name
 31342d8     2140    147000 System.String
Total 2140 objects
asked on Stack Overflow Mar 21, 2020 by Malcolm McCaffery • edited Mar 22, 2020 by sajadre

1 Answer


You can use the .foreach command with the /pS and /ps flags.

Use /pS 3 to skip the 3 initial words you don't want to process ("Address", "MT" and "Size"). Next, the command will process the address 07291164. Then skip another 2 tokens with /ps 2 ("031342d8" and "28"), the next token will be processed, and so on.

This will work fine until it comes to the statistics, so you will have some error messages at the end.

Otherwise you can have a look at some WinDbg extensions which can do text processing for you, like .

answered on Stack Overflow Mar 21, 2020 by Thomas Weller

User contributions licensed under CC BY-SA 3.0