none
WINDBG NTDLL problem.

    Question

  • I am currently having problems with WINDBG.  Though I have my symbol path set for srv*C:\symbols*http://msdl.microsoft.com/download/symbols, I never the less am getting the following error:

    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe - Windows 7 Kernel Version 7601 (Service Pack 1)

    After deleting all of my symbol files and re-downloading everything,  I went into WinDbg and tried to do a reload on ntdll.dll.  The following are the commands I issued:

    lkd> !sym noisy

    lkd> .reload /f ntdll.dll

    "ntdll.dll" was not found in the image list.

    Debugger will attempt to load "ntdll.dll" at given base 00000000'00000000.

    Please provide the full image name, including the extension (i.e. kernel32.dll)

    for more reliable results. Base address and size overrides can be given as .reload <image.ext>=<base>, size>.

    DBGENG: ntdll.dll - Partial symbol image load missing image into.

    DBGHELP: No header for ntdll.dll.  Searching for dbg file.

    DBGHELP: .\ntdll.dbg - file not found.

    DBGHELP: .\dll\ntdll.dbg - path not found.

    DBGHELP: .\symbols\dll\ntdll.dbg - path not found.

    DBGHELP: .ntdll.dll missing debug info.  Searching for pdb anyway.

    DBGHELP: Can't use symbol server for ntdll.pdb - no header information available.

    DBGHELP: ntdll.pdb - file not found

    DBGHELP: ntdll - no symbols loaded

    Unable to add module at 00000000'00000000

    Does anyone out there know why this is occuring?


    • Edited by mcertini Friday, June 28, 2013 6:42 PM
    Friday, June 28, 2013 6:40 PM

All replies

  • According to your cmd-prompt, you seem to be using local-kernel debugging?
    For windbg falls back to exported symbols for ntkrnlmp.exe, I assume also ntkrnlmp.pdb is not loaded. 
    When doing a
    !sym noisy
    .reload /f nt
    does windbg look for image-file?
    Then probably it is a matter of paged-out memory.
    Also you may try for more info
    !lmi ntkrnlmp.exe
    !lmi ntdll.dll  (though for this one I would expect 'not found' according to your error message)
    Sometimes during local-kernel-debugging (which I do not use very often) I have to switch to a user process to load  symbols for ntdll.dll

    PROCESS 84fcf9a8  SessionId: 1  Cid: 0c5c    Peb: 7ffd9000  ParentCid: 060c
        DirBase: 7c2beac0  ObjectTable: 94401af8  HandleCount:  76.
        Image: notepad.exe
    lkd> .process /r /p 84fcf9a8
    Implicit process is now 84fcf9a8
    Loading User Symbols
    ..........................
    DBGHELP: c:\windows\symbols\dll\ntdll.pdb - file not found
    DBGHELP: c:\windows\symbols\dll\dll\ntdll.pdb - file not found
    DBGHELP: c:\windows\symbols\dll\symbols\dll\ntdll.pdb - file not found
    DBGHELP: ntdll - public symbols  
             c:\symbols\mssymbols\ntdll.pdb\6E883...593F26D92\ntdll.pdb

    Besides, have you already tried Sysinternals livekd, though it seems to be a little bit more restricted using a static snapshot.

    No warranty
    With kind regards



    • Edited by MaybeCompletelyW Saturday, June 29, 2013 8:38 PM livekd
    • Proposed as answer by Pavel A Monday, July 08, 2013 6:19 PM
    Saturday, June 29, 2013 8:27 PM
  • the ntdll.dll is a usermode dll. If you run windbg as kernel debugger, it won't be in the picture.

    -- pa

    Sunday, June 30, 2013 3:23 PM