I'm trying to debug an issue with what may be handle leak. I have a dump created on a remote windows machine and I would like to see the handles information. I'm using WinDbg. I have seen some articles from the MSDN and from other sources, like https://www.codeproject.com/Articles/6988/Debug-Tutorial-Part-5-Handle-Leaks, but I can't get it to work, so I need some help. I tried the next
no export handles foundor a failure to load kdexts. Apparently kernel debugging is not enabled.
.load kdextsyields `DebugExtensionInitializeFailed1 with error code 0x80004005.
!handle -?I get help for the command but when I try something else, I get "Unable to read handle information". For example,
!handle- I expected a full list of handles
!handle 0 0
!handle 0 0 file
I need some help if possible
I'd appreciate any help !tamir
your dump was probably a dump taken without handle information
you may use dumpchk.exe that comes with windbg installation to see if Handle Stream exists in the dump
if you have control over dump creation check how to use .dump /ma with windbg
or you may also explore sysinternals procdump.exe
and also make sure you are using the correct bitted debugger for the dump in question
a sample path
D:\>dir /s /b "c:\Program Files (x86)\Windows Kits\10\Debuggers\cdb.exe" c:\Program Files (x86)\Windows Kits\10\Debuggers\arm\cdb.exe c:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\cdb.exe c:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe c:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
here is a sample dump creation with and without handle stream in the dump
:000> .dump /ma d:\madump.dmp Creating d:\madump.dmp - mini user dump Dump successfully written 0:000> .dump d:\nomadump.dmp Creating d:\nomadump.dmp - mini user dump Dump successfully written 0:000> q
analysing both the dumps with dumpchk and checking for streams present
dumpchk nomadump.dmp > nomachk.txt dumpchk madump.dmp > machk.txt D:\>type machk.txt |grep -i number.*stream NumberOfStreams 17 D:\>type nomachk.txt |grep -i number.*stream NumberOfStreams 13
D:\>diff -y machk.txt nomachk.txt Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64 Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64 Loading Dump File [D:\madump.dmp] | Loading Dump File [D:\nomadump.dmp] User Mini Dump File with Full Memory: Only application d | User Mini Dump File: Only registers, stack and portions of me ----- User Mini Dump Analysis ----- User Mini Dump Analysis MINIDUMP_HEADER: MINIDUMP_HEADER: Version A793 (A063) Version A793 (A063) NumberOfStreams 17 | NumberOfStreams 13 Flags 441826 | Flags 40000 0002 MiniDumpWithFullMemory < 0004 MiniDumpWithHandleData < 0020 MiniDumpWithUnloadedModules < 0800 MiniDumpWithFullMemoryInfo < 1000 MiniDumpWithThreadInfo < 40000 MiniDumpWithTokenInformation 40000 MiniDumpWithTokenInformation 400000 MiniDumpWithIptTrace <
forgot to post the result of doing !handle on both dumps
D:\>cdb -c "!handle;q" -z nomadump.dmp |awk /Reading/,/quit/" 0:000> cdb: Reading initial command '!handle;q' ERROR: !handle: extension exception 0x80004002. "Unable to read handle information" quit: D:\>cdb -c "!handle;q" -z madump.dmp |awk /Reading/,/quit/" 0:000> cdb: Reading initial command '!handle;q' Handle 0000000000000004 Type File xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxSNIPxxxxxxxxx Handle 0000000000000128 Type Mutant Handle 000000000000012c Type Handle 0000000000000180 Type File 70 Handles Type Count None 27 Event 13 File 8 Directory 2 Mutant 1 Semaphore 2 Key 6 IoCompletion 2 TpWorkerFactory 2 ALPC Port 1 WaitCompletionPacket 6 quit:
Check the tool which was used for creating the crash dump. Perhaps it provides an option to include handle data.
Task Manager includes handle data by default
Visual Studio includes handle data by default
.dump can be used with the
/mh switch to include handle data.
/ma is a shortcut for
/mfFhut, so it also includes handle data.
ProcDump automatically includes handle data.
Windows Error Reporting LocalDumps can be configured with a Registry value called
User contributions licensed under CC BY-SA 3.0