Solved

crashdumps - windbg.exe problem reading symbols, advice would be appreciated

Posted on 2016-09-11
22
164 Views
Last Modified: 2016-09-13
Hi,
System basics- Windows 10 Pro 64bit 8GB RAM, plenty of HD storage available Z77-DS3H m/board. Nvidia GS7100 Graphics Card

over the last few days have averaged 4 or 5 BSOD screens with 'dpc watchdog violation' error

I've looked at the windows\minidump folder and found files for each crash and have tried to view them
Initially could just get garbage via notepad, then found the Windows SDK and installed debug tools
Ran windbg.exe as administrator, loaded the last minidump file

Error message in report saying couldn't find the symbols directory-

Then on the MS site located the  Windows_Rs1.14393.0.160715-1616.x64FRE.Symbols.msi
ran it and then installed to C:\Program Files (x86)\Windows Kits\10\symbols  about 5GB !!!
In case the problem was an x86 driver I then installed the x86 version-
 Windows_Rs1.14393.0.160715-1616.X86FRE.Symbols.msi
ran it and installed to C:\Program Files (x86)\Windows Kits\10\symbols32

Restarted windbg.exe as administrator
Browsed and selected the  the xxx\z10\ symbols path

Now when I load the minidump crash file I get the information below.

Can anyone advise what I have done incorrectly or missed out so that I can try and track down just what is causing these dpc violations.

Many thanks,
Nigel

-------------------------------------------------------------------------

Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\091016-74984-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
OK                                             C:\Program Files (x86)\Windows Kits\10\symbols
Symbol search path is: C:\Program Files (x86)\Windows Kits\10\symbols
Executable search path is:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe -
Windows 10 Kernel Version 10586 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10586.545.amd64fre.th2_release.160802-1857
Machine Name:
Kernel base = 0xfffff800`ac412000 PsLoadedModuleList = 0xfffff800`ac6efcf0
Debug session time: Sat Sep 10 00:20:26.277 2016 (UTC + 1:00)
System Uptime: 0 days 0:01:18.999
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe -
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
..................................................
Loading User Symbols
Loading unloaded module list
.....

************* Symbol Loading Error Summary **************
Module name            Error
ntkrnlmp               The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 133, {0, 501, 500, 0}

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for hal.dll -
*** WARNING: Unable to verify timestamp for Si3114r5.sys
*** ERROR: Module load completed but symbols could not be loaded for Si3114r5.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KINTERRUPT                                ***
***                                                                   ***
*************************************************************************

Further down the text in different blocks there are references to  :-
Type referenced: nt!_EPROCESS  
Type referenced: nt!_KPRCB  
Type referenced: nt!_KTHREAD  
Type referenced: nt!_MMPTE
0
Comment
Question by:techtramp
  • 9
  • 7
  • 6
22 Comments
 
LVL 87

Accepted Solution

by:
rindi earned 250 total points
ID: 41793442
If your crashes are on a 64 bit version of Windows, you will also need the 64 bit symbols.

But generally, you would enter the following for the symbol path:

SRV*d:\users\Public\symbols*http://msdl.microsoft.com/download/symbols

Open in new window


Where the part between two * * is a local directory on the PC where the symbols get downloaded to, and the part behind that is the link from where they get downloaded.
0
 

Author Comment

by:techtramp
ID: 41793501
Thanks rindi,
This is file that I downloaded from the MS website and installed- do I need another file?
Windows_Rs1.14393.0.160715-1616.x64FRE.Symbols.msi

I've just tried entering
SRV C:\Program Files\Windows Kits\10\symbols http://msdl.microsoft.com/download/symbols
as the path. but got the message at the top of the debug window

-----------------
Error: Change all symbol paths attempts to access 'SRV C:\Program Files\Windows Kits\10\symbols http://msdl.microsoft.com/download/symbols' failed: 0x7b - The filename, directory name, or volume label syntax is incorrect.

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Error                                          SRV C:\Program Files\Windows Kits\10\symbols http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV C:\Program Files\Windows Kits\10\symbols http://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 10 Kernel Version 10586 MP (4 procs) Free x64

I've tried with a space between SRV and C:\ and also between the \10\symbols and http://- got the same error message re symbol paths.

This is the first time I've used windbg so have probably got errors in spaces within the command line or got something else wrong!
Thanks
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 41793507
You omitted the asterisks in the symbol server path, but those are important and part of the syntax.
0
 
LVL 87

Expert Comment

by:rindi
ID: 41793514
You don't need to manually download anything. If you set the symbol path properly, the debugger will do the download.
0
 

Author Comment

by:techtramp
ID: 41795019
Hi Qlemo and rindi,
Thanks for the comments, and sorry to be slow getting back to you- last three attempts have failed due to BSOD with the dpc violation error whilst writing.
I had assumed that the asterisks enclosed the required path rather than being essential to the command- as I said, first attempt with windbg. With something like this, it's a pity that MS don't give a sample code for people in my situation.

When I ran windbg I got the following results- the first block waited and said debugger not connected, then when I can back later it it seemed to complete and under the bottom of the window said 1: <kd

I tried running the !analyze -v  from within the program and on the command line but didn't get any display.

From my limited reading of the results- it looks as though  Si3114r5.sys could be a problem which might tie up with my PCIe raid/ SATA card.

Does this make sense?

Cheers,
Nigel

--------------------------------------------------------------------

Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\091116-77015-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\Program Files\Windows Kits\10\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Program Files\Windows Kits\10\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 10586 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10586.545.amd64fre.th2_release.160802-1857
Machine Name:
Kernel base = 0xfffff802`67886000 PsLoadedModuleList = 0xfffff802`67b63cf0
Debug session time: Sun Sep 11 11:04:56.763 2016 (UTC + 1:00)
System Uptime: 0 days 23:50:09.484
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
...............................................................
Loading User Symbols
Loading unloaded module list
.........................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 133, {0, 501, 500, 0}

*** WARNING: Unable to verify timestamp for Si3114r5.sys
*** ERROR: Module load completed but symbols could not be loaded for Si3114r5.sys
Probably caused by : Si3114r5.sys ( Si3114r5+a264 )

Followup:     MachineOwner
---------
0
 
LVL 87

Expert Comment

by:rindi
ID: 41795058
Yes, that could be the issue. Look for a new driver for the card.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41795117
RAID driver and DPC WatchDog bugcheck (133) fit together well, so it is very likely the culprit.
0
 

Author Comment

by:techtramp
ID: 41795159
Thanks both,
Just taken out the Raid card- so far unable to find up to date drivers so may need to get a new card.- hasn't crashed in the last couple of hours so hopeful this is the culprit rather than my graphics card !

I have two other queries but will raise them in a seperate question as this one has been answered and I can award points.

(Which section would these go in - windows or operating systems-
using windbg-

Is there are list of bugcheck values anywhere?
How do I use the  !analyze command please?  )

Thanks,
Nigel
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41795186
The analyze command should be issued after you've loaded the crash dump file - after the output above has been produced. The command should provide more details, but at least something similar to above. You can click on the command link to run it. Of course you need to run the command from the windbg prompt kd> or whatever.
That the crash analysis runs for some significant time the first time you use windbg with symbols is quite normal - the symbols of all related system DLLs need to get found and downloaded first, not showing progress. The second and following crash dump analysis is much more responsive.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41795476
0
 

Author Comment

by:techtramp
ID: 41795604
Thanks Qlemo
Thanks for the bugcheck reference- found the 133 but no reference to Raid- I'd have thought that might be listed somewhere.

'you need to run the command from the windbg prompt kd> or whatever'.- that explains why it didn't work from the main command line from the start menu. very much a steep learning curve as to know where to look for information , where to enter data/commands etc.
the !analyse result pointed to  Si3114r5.sys as the problem which rather confirms the RAID card as the problem. Part of the report below.

--------------------------------------
FAILURE_BUCKET_ID:  0x133_DPC_Si3114r5!unknown_function

BUCKET_ID:  0x133_DPC_Si3114r5!unknown_function

PRIMARY_PROBLEM_CLASS:  0x133_DPC_Si3114r5!unknown_function
________________________________


I was going to put up the above  bugcheck and !analyse points as a separate question-now that you've kindly answered them for me here so if ok with both of you, I will split the points between you.

So far so good- no dpc since yesterday's removal of the RAID card- only throuble is I can't find updated drivers for it !
Cheers,
Nigel
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 87

Expert Comment

by:rindi
ID: 41795625
The OS won't know it has anything to do with RAID. It just references the driver to some hardware, in your case that hardware happens to be the RAID controller.

This isn't a real hardware RAID controller anyway, but rather just a fake-RAID controller, so there is no point in using it as you don't get any advantage with it. Using your OS's built in Software RAID is much more reliable and also performs a lot better. The only use for such a controller would be to add more SATA disks to your system if your mainboard doesn't have enough, then use it in AHCI rather than RAID mode, provided you can set up the controller that way. But if it's RAID drivers are buggy, so may be the AHCI drivers.
0
 

Author Comment

by:techtramp
ID: 41795626
By the way- with the updated path (including the asterisks)- can I delete the
Windows_Rs1.14393.0.160715-1616.x64FRE.Symbols.msi files and the relevant contents that I installed earlier- that way I can reclaim 5GB of storage space for each.

I assume I'd need to leave the symbols folder in place as it's referred to in the path?

Nigel
0
 

Author Comment

by:techtramp
ID: 41795631
Must have crossed over with your last reply, rindi.
The RAID card was essentially in to provide extra SATA drive connections for another DVD and SATA drive for backup/filetransfer- I'll look for a basic SATA card if such a thing exists.
Nigel
0
 
LVL 87

Expert Comment

by:rindi
ID: 41795751
Yes, you can delete those symbols.
0
 

Author Comment

by:techtramp
ID: 41795784
Thanks,
Can I check a second crashdump file without having to restart windbg?

Can the symbols path be saved as default? I've looked in the help file but rapidly got lost as to what and where to set options up.
Cheers,
0
 
LVL 87

Expert Comment

by:rindi
ID: 41795793
If you have the crash dump open in the debugger, you can click on the Debug menu item and select Stop debugging.

You can save your settings (which saves the symbols path) by using File, save Workspace. After that you can start the debugger again with your current saved settings. You can additionally do a save workspace to file so you can import the workspace again should the need arise.
0
 

Author Comment

by:techtramp
ID: 41795803
Thanks rindi, I'll have a go, I'd wondered about workspace but didn't think about going into the debug options - bless experts-exchange, I'd have been going round in circles for ages!

Out of curiosity, having downloaded and installed the symbols into the symbols folder and pointed to that folder in the path, why didn't windbg look to that folder first to find the relevant symbols? That was the C:\Program Files (x86)\Windows Kits\10\symbols which I browsed to find and select.
0
 
LVL 87

Expert Comment

by:rindi
ID: 41795814
I've never used symbols that way, and don't really know whether those you downloaded were the correct ones or what they would be used for.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41795816
You can also set the environment variable _NT_SYMBOL_PATH to the complete symbol server path setting, but it is probably best to keep it as WinDbg saved setting only, as described by rindi.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41795819
Not being the correct release (this includes Windows Updates) could have been the reason for ignoring those installed symbol files.
0
 

Author Closing Comment

by:techtramp
ID: 41796860
Many thanks to both rindi and Qlemo  who covered both the initial question and also associated questions which followed.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
WinZip64 OS Command to Unzip a file. 10 36
OUtlook missing email alert 9 20
sccm report 1 14
Inventory equipment in the office 7 50
If your app took Google’s lash recently, here are the 5 most likely reasons.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This video will demonstrate how to find the puppet warp tool from the edit menu and where to put the points to edit.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now