Symbols cannot be loaded for win32k subsystem drivers ( win32kbase,win32kfull,win32k) ( .sys ) RRS feed

  • Question

  • Hello. I am debugging a VmWare Workstation with Windows 10 corporate edition ( x64 version 1607 ), using a named pipe via windbg. Everything works fine, but i ALMOST  always cannot load symbols for win32k drivers.

    Here is some outputs with !sym noisy on, first i verified that sympath is ok:

    1: kd> .sympath
    Symbol search path is: SRV*c:\symbols*
    Expanded Symbol search path is: srv*c:\symbols*
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       SRV*c:\symbols*

    Then i tried to load win32kbase.sys module symbols

    1: kd> .reload /f win32kbase.sys
    Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
    Run !sym noisy before .reload to track down problems loading symbols.
             C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym
    SYMSRV:  PATH: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\win32kbase.sys\5819BCA2180000\win32kbase.sys
    DBGHELP: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\win32kbase.sys\5819BCA2180000\win32kbase.sys - OK
    DBGENG:  Partial symbol load found image C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\win32kbase.sys\5819BCA2180000\win32kbase.sys.
    SYMSRV:  c:\symbols\win32kbase.pdb\DB082FF11D914CA1BA49E137CC66F5E11\win32kbase.pdb - file not found
    SYMSRV:  HTTPGET: /download/symbols/index2.txt
    SYMSRV:  HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
    SYMSRV:  HTTPGET: /download/symbols/win32kbase.pdb/DB082FF11D914CA1BA49E137CC66F5E11/win32kbase.pdb
    SYMSRV:  HttpQueryInfo: 404 - HTTP_STATUS_NOT_FOUND
    SYMSRV:  HTTPGET: /download/symbols/win32kbase.pdb/DB082FF11D914CA1BA49E137CC66F5E11/win32kbase.pd_
    SYMSRV:  HttpQueryInfo: 200 - HTTP_STATUS_OK
    SYMSRV:  c:\symbols\win32kbase.pdb\DB082FF11D914CA1BA49E137CC66F5E11\win32kbase.pdb - file not found
    SYMSRV:  win32kbase.pdb from 318945 bytes - copied         
    SYMSRV:  PATH: c:\symbols\win32kbase.pdb\DB082FF11D914CA1BA49E137CC66F5E11\win32kbase.pdb
    DBGHELP: win32kbase - public symbols  

    Some more info:

    1: kd> lmDva 0xffffff56`b3790000
    Browse full module list
    start             end                 module name
    ffffff56`b3790000 ffffff56`b3910000   win32kbase   (pdb symbols)          c:\symbols\win32kbase.pdb\DB082FF11D914CA1BA49E137CC66F5E11\win32kbase.pdb
        Loaded symbol image file: win32kbase.sys
        Mapped memory image file: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\win32kbase.sys\5819BCA2180000\win32kbase.sys
        Image path: \SystemRoot\System32\win32kbase.sys
        Image name: win32kbase.sys
        Browse all global symbols  functions  data
        Timestamp:        Wed Nov  2 13:14:58 2016 (5819BCA2)
        CheckSum:         00172C8F
        ImageSize:        00180000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

    But for example if i want to see some function code:

    1: kd> uf win32kbase!NtGdiCreateCompatibleDC
    No code found, aborting

    And of course if i navigate to this offset in disassembly window i get:

    ffffff56`b37e6020 ??              ???
    ffffff56`b37e6021 ??              ???
    ffffff56`b37e6022 ??              ???
    ffffff56`b37e6023 ??              ???
    ffffff56`b37e6024 ??              ???
    ffffff56`b37e6025 ??              ???
    ffffff56`b37e6026 ??              ???
    ffffff56`b37e6027 ??              ???
    ffffff56`b37e6028 ??              ???
    ffffff56`b37e6029 ??              ???
    ffffff56`b37e602a ??              ???
    ffffff56`b37e602b ??              ???
    ffffff56`b37e602c ??              ???
    ffffff56`b37e602d ??              ???
    ffffff56`b37e602e ??              ???
    ffffff56`b37e602f ??              ???

    Same happens with win32k.sys and win32kfull.sys.

    Here is lmi output:

    1: kd> !lmi win32kbase.sys
    Loaded Module Info: [win32kbase.sys]
    Cannot read Image header @ ffffff56b3790000
        Load Report: public symbols , not source indexed

    This is huge problem it makes unable to debug some drivers or dumps because of thats. There are similar topics found in google addressing this issue: /forums/bsod-processing-apps-download-information-discussions/3366-symbols-could-not-loaded-win32k-sys.html

    Why does this happen? Also sometime, just SOMETIME  symbols gets loaded fine, i havent figured out on what it depends on. I have the same windows version on my PC that is debugged in VmWare. Im using the debugging tools from the development kit for win10. Can someone help

    P.S. I tried to solve this problem with suggestion to switch to some process for example explorer.exe, using .process command and then reload symbols, it sort of works, but when i continue the execution, again, it appears that symbols are not loaded, and i have to switch to some process again. And also breakpoints doesnt work anyway.
    Friday, December 9, 2016 7:52 PM

All replies

  • Does it help getting modules - win32kbase.sys,win32kfull.sys,win32k.sys - from target and point '.exepath' to them, '.reload' needed?
    See also

    With kind regards

    Saturday, December 10, 2016 9:31 AM
  • Does it help getting modules - win32kbase.sys,win32kfull.sys,win32k.sys - from target and point '.exepath' to them, '.reload' needed?
    See also

    With kind regards

    I tried what you suggested with .exepath, and the second one whichi is kinda same, but with network share, here is some results:

    I copied win32k.sys/win32kbase.sys/win32kfull.sys on the other volume in c:\sims and set exepath like so

    0: kd> .exepath
    Executable image search path is: s:\sims
    Expanded Executable image search path is: s:\sims
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    OK                                             s:\sims

    Set sympath

    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*c:\symbols*

    Then i did reload:

    0: kd> .reload
    Connected to Windows 10 14393 x64 target at (Sun Dec 11 19:17:57.835 2016 (UTC + 3:00)), ptr64 TRUE
    SYMSRV:  PATH: c:\symbols\ntkrnlmp.pdb\0BAE20272BEC40F1AC6CD5690033E52D1\ntkrnlmp.pdb
    DBGHELP: nt - public symbols  
    Loading Kernel Symbols
    Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
    Run !sym noisy before .reload to track down problems loading symbols.
    Loading User Symbols
    Loading unloaded module list
    SYMSRV:  PATH: c:\symbols\hal.pdb\0043C95B002042F9A8D2328356E483611\hal.pdb
    DBGHELP: hal - public symbols  

    Here is lm output after this:

    0: kd> lm
    start             end                 module name
    ffff823e`56600000 ffff823e`56988000   win32kfull   (deferred)             
    ffff823e`56990000 ffff823e`56b10000   win32kbase   (deferred)             
    ffff823e`56b20000 ffff823e`56b2a000   TSDDD      (deferred)             
    ffff823e`56b30000 ffff823e`56b70000   cdd        (deferred)             
    ffff823e`56e90000 ffff823e`56ecb000   win32k     (deferred)             
    fffff801`f8102000 fffff801`f8110000   kdcom      (deferred)             
    fffff801`f8e1e000 fffff801`f8e93000   hal        (pdb symbols)          c:\symbols\hal.pdb\0043C95B002042F9A8D2328356E483611\hal.pdb
    fffff801`f8e93000 fffff801`f96b3000   nt         (pdb symbols)          c:\symbols\ntkrnlmp.pdb\0BAE20272BEC40F1AC6CD5690033E52D1\ntkrnlmp.pdb
    fffff806`83800000 fffff806`83863000   CLFS       (deferred)             
    fffff806`83870000 fffff806`83895000   tm         (deferred)             
    fffff806`838a0000 fffff806`838b7000   PSHED      (deferred)             
    fffff806`838c0000 fffff806`838cc000   BOOTVID    (deferred)             
    fffff806`838d0000 fffff806`83932000   FLTMGR     (deferred)             
    fffff806`83940000 fffff806`8399d000   msrpc      (deferred)             
    fffff806`839a0000 fffff806`839c8000   ksecdd     (deferred)             
    fffff806`839d0000 fffff806`83a80000   clipsp     (deferred)             
    fffff806`83a80000 fffff806`83a8d000   cmimcext   (deferred)             
    fffff806`83a90000 fffff806`83a9c000   ntosext    (deferred)             
    fffff806`83aa0000 fffff806`83b40000   CI         (deferred)             
    fffff806`83b40000 fffff806`83bdc000   cng        (deferred)             
    fffff806`83be0000 fffff806`83cb4000   Wdf01000   (deferred)             
    fffff806`83cc0000 fffff806`83cd3000   WDFLDR     (deferred)             
    fffff806`83ce0000 fffff806`83d03000   acpiex     (deferred)             
    fffff806`83d10000 fffff806`83d1e000   WppRecorder   (deferred)             
    fffff806`83d20000 fffff806`83dd3000   ACPI       (deferred)             
    fffff806`83de0000 fffff806`83dec000   WMILIB     (deferred)             
    fffff806`83e00000 fffff806`83e11000   intelpep   (deferred)             
    fffff806`83e20000 fffff806`83e3f000   WindowsTrustedRT   (deferred)             
    fffff806`83e40000 fffff806`83e4b000   WindowsTrustedRTProxy   (deferred)             
    fffff806`83e50000 fffff806`83e62000   pcw        (deferred)             
    fffff806`83e70000 fffff806`83e7b000   msisadrv   (deferred)             
    fffff806`83e80000 fffff806`83ed7000   pci        (deferred)             
    fffff806`83ee0000 fffff806`83ef2000   vdrvroot   (deferred)             
    fffff806`83f00000 fffff806`83f21000   pdc        (deferred)             
    fffff806`83f30000 fffff806`83f49000   CEA        (deferred)             
    fffff806`83f50000 fffff806`83f74000   partmgr    (deferred)             
    fffff806`83f80000 fffff806`8400d000   spaceport   (deferred)             
    fffff806`84010000 fffff806`8401a000   intelide   (deferred)             
    fffff806`84020000 fffff806`84031000   PCIIDEX    (deferred)             
    fffff806`84040000 fffff806`84058000   volmgr     (deferred)             
    fffff806`84060000 fffff806`840be000   volmgrx    (deferred)             
    fffff806`840c0000 fffff806`840d9000   vmci       (deferred)             
    fffff806`840e0000 fffff806`840f7000   vsock      (deferred)             
    fffff806`84100000 fffff806`8411e000   mountmgr   (deferred)             
    fffff806`84120000 fffff806`8413f000   lsi_sas    (deferred)             
    fffff806`84140000 fffff806`841c2000   storport   (deferred)             
    fffff806`841d0000 fffff806`841dc000   atapi      (deferred)             
    fffff806`841e0000 fffff806`84215000   ataport    (deferred)             
    fffff806`84220000 fffff806`84244000   storahci   (deferred)             
    fffff806`84250000 fffff806`8426c000   EhStorClass   (deferred)             
    fffff806`84270000 fffff806`84289000   fileinfo   (deferred)             
    fffff806`84290000 fffff806`842c8000   Wof        (deferred)             
    fffff806`842d0000 fffff806`8431d000   WdFilter   (deferred)             
    fffff806`84340000 fffff806`843ce000   mcupdate_GenuineIntel   (deferred)             
    fffff806`843d0000 fffff806`843e0000   werkernel   (deferred)             
    fffff806`84400000 fffff806`84528000   ndis       (deferred)             
    fffff806`84530000 fffff806`845a9000   NETIO      (deferred)             
    fffff806`845b0000 fffff806`845e0000   ksecpkg    (deferred)             
    fffff806`845e0000 fffff806`84858000   tcpip      (deferred)             
    fffff806`84860000 fffff806`848c9000   fwpkclnt   (deferred)             
    fffff806`848d0000 fffff806`848fa000   wfplwfs    (deferred)             
    fffff806`84900000 fffff806`849a3000   fvevol     (deferred)             
    fffff806`849b0000 fffff806`849bb000   volume     (deferred)             
    fffff806`849c0000 fffff806`84a24000   volsnap    (deferred)             
    fffff806`84a30000 fffff806`84a78000   rdyboost   (deferred)             
    fffff806`84a80000 fffff806`84aa5000   mup        (deferred)             
    fffff806`84ab0000 fffff806`84ac0000   iorate     (deferred)             
    fffff806`84ad0000 fffff806`84aee000   disk       (deferred)             
    fffff806`84b10000 fffff806`84b29000   crashdmp   (deferred)             
    fffff806`84b30000 fffff806`84d62000   NTFS       (deferred)             
    fffff806`84d70000 fffff806`84d7d000   Fs_Rec     (deferred)             
    fffff806`84d80000 fffff806`84de2000   CLASSPNP   (deferred)             
    fffff806`85000000 fffff806`85014000   watchdog   (deferred)             
    fffff806`85020000 fffff806`8523e000   dxgkrnl    (deferred)             
    fffff806`85240000 fffff806`85252000   BasicRender   (deferred)             
    fffff806`85260000 fffff806`85279000   Npfs       (deferred)             
    fffff806`85280000 fffff806`85290000   Msfs       (deferred)             
    fffff806`85290000 fffff806`852b3000   tdx        (deferred)             
    fffff806`852c0000 fffff806`852d0000   TDI        (deferred)             
    fffff806`852d0000 fffff806`852dd000   ws2ifsl    (deferred)             
    fffff806`852e0000 fffff806`852e9000   vmmouse    (deferred)             
    fffff806`85340000 fffff806`85371000   cdrom      (deferred)             
    fffff806`85380000 fffff806`8539d000   filecrypt   (deferred)             
    fffff806`853a0000 fffff806`853ae000   tbs        (deferred)             
    fffff806`853b0000 fffff806`853ba000   Null       (deferred)             
    fffff806`853c0000 fffff806`853ca000   Beep       (deferred)             
    fffff806`853d0000 fffff806`853df000   vmrawdsk   (deferred)             
    fffff806`853e0000 fffff806`853f4000   BasicDisplay   (deferred)             
    fffff806`85400000 fffff806`85495000   afd        (deferred)             
    fffff806`854a0000 fffff806`854b9000   vwififlt   (deferred)             
    fffff806`854c0000 fffff806`854eb000   pacer      (deferred)             
    fffff806`854f0000 fffff806`85502000   netbios    (deferred)             
    fffff806`85510000 fffff806`85538000   vmhgfs     (deferred)             
    fffff806`85540000 fffff806`855b5000   rdbss      (deferred)             
    fffff806`855c0000 fffff806`8564e000   csc        (deferred)             
    fffff806`85650000 fffff806`85661000   nsiproxy   (deferred)             
    fffff806`85670000 fffff806`8567d000   npsvctrig   (deferred)             
    fffff806`85680000 fffff806`85690000   mssmbios   (deferred)             
    fffff806`85690000 fffff806`8569a000   gpuenergydrv   (deferred)             
    fffff806`856a0000 fffff806`856ca000   dfsc       (deferred)             
    fffff806`856d0000 fffff806`856e3000   kbdclass   (deferred)             
    fffff806`856f0000 fffff806`8572f000   ahcache    (deferred)             
    fffff806`85730000 fffff806`8577b000   netbt      (deferred)             
    fffff806`85780000 fffff806`85791000   CompositeBus   (deferred)             
    fffff806`857a0000 fffff806`857ae000   kdnic      (deferred)             
    fffff806`857b0000 fffff806`857c5000   umbus      (deferred)             
    fffff806`857d0000 fffff806`857f2000   i8042prt   (deferred)             
    fffff806`85800000 fffff806`85868000   ks         (deferred)             
    fffff806`85870000 fffff806`8588c000   usbehci    (deferred)             
    fffff806`85890000 fffff806`858f3000   USBXHCI    (deferred)             
    fffff806`85900000 fffff806`85938000   ucx01000   (deferred)             
    fffff806`85940000 fffff806`8594b000   vmgencounter   (deferred)             
    fffff806`85950000 fffff806`8595e000   CmBatt     (deferred)             
    fffff806`85960000 fffff806`8596e000   BATTC      (deferred)             
    fffff806`85970000 fffff806`8599b000   intelppm   (deferred)             
    fffff806`859a0000 fffff806`859ac000   pnpmem     (deferred)             
    fffff806`859b0000 fffff806`859cc000   ew_jubusenum   (deferred)             
    fffff806`859d0000 fffff806`859dd000   NdisVirtualBus   (deferred)             
    fffff806`859e0000 fffff806`859ec000   swenum     (deferred)             
    fffff806`859f0000 fffff806`859fe000   rdpbus     (deferred)             
    fffff806`85a00000 fffff806`85a80000   usbhub     (deferred)             
    fffff806`85a80000 fffff806`85a8e000   USBD       (deferred)             
    fffff806`85a90000 fffff806`85b17000   UsbHub3    (deferred)             
    fffff806`85b20000 fffff806`85b8a000   HdAudio    (deferred)             
    fffff806`85b90000 fffff806`85b9e000   ksthunk    (deferred)             
    fffff806`85ba0000 fffff806`85bd0000   usbccgp    (deferred)             
    fffff806`85bd0000 fffff806`85be1000   hidusb     (deferred)             
    fffff806`85bf0000 fffff806`85c1f000   HIDCLASS   (deferred)             
    fffff806`85c20000 fffff806`85c32000   HIDPARSE   (deferred)             
    fffff806`85c40000 fffff806`85c4f000   mouhid     (deferred)             
    fffff806`85c50000 fffff806`85c59000   vmusbmouse   (deferred)             
    fffff806`85ca0000 fffff806`85cf4000   udfs       (deferred)             
    fffff806`85d10000 fffff806`85d1f000   dump_diskdump   (deferred)             
    fffff806`85d40000 fffff806`85d5f000   dump_LSI_SAS   (deferred)             
    fffff806`85d80000 fffff806`85d9d000   dump_dumpfve   (deferred)             
    fffff806`85da0000 fffff806`85e54000   srv2       (deferred)             
    fffff806`85e60000 fffff806`85e74000   mmcss      (deferred)             
    fffff806`85e80000 fffff806`85ecd000   mrxsmb10   (deferred)             
    fffff806`85ed0000 fffff806`85f5c000   srv        (deferred)             
    fffff806`85f60000 fffff806`85f86000   Ndu        (deferred)             
    fffff806`85f90000 fffff806`86052000   peauth     (deferred)             
    fffff806`86060000 fffff806`86074000   tcpipreg   (deferred)             
    fffff806`86080000 fffff806`860a2000   WdNisDrv   (deferred)             
    fffff806`860b0000 fffff806`860c2000   condrv     (deferred)             
    fffff806`862b0000 fffff806`86317000   dxgmms1    (deferred)             
    fffff806`86320000 fffff806`86330000   monitor    (deferred)             
    fffff806`86330000 fffff806`863d7000   dxgmms2    (deferred)             
    fffff806`863e0000 fffff806`86406000   luafv      (deferred)             
    fffff806`86410000 fffff806`86430000   wcifs      (deferred)             
    fffff806`86430000 fffff806`86449000   storqosflt   (deferred)             
    fffff806`86450000 fffff806`86466000   wcnfs      (deferred)             
    fffff806`86470000 fffff806`86488000   registry   (deferred)             
    fffff806`86490000 fffff806`864ae000   WudfPf     (deferred)             
    fffff806`864b0000 fffff806`864ec000   WUDFRd     (deferred)             
    fffff806`864f0000 fffff806`86508000   mslldp     (deferred)             
    fffff806`86510000 fffff806`86526000   lltdio     (deferred)             
    fffff806`86530000 fffff806`8654a000   rspndr     (deferred)             
    fffff806`86550000 fffff806`8656b000   wanarp     (deferred)             
    fffff806`86570000 fffff806`86586000   ndisuio    (deferred)             
    fffff806`86590000 fffff806`866a2000   HTTP       (deferred)             
    fffff806`866b0000 fffff806`866d2000   bowser     (deferred)             
    fffff806`866e0000 fffff806`86755000   mrxsmb     (deferred)             
    fffff806`86760000 fffff806`8679b000   mrxsmb20   (deferred)             
    fffff806`867a0000 fffff806`867b9000   mpsdrv     (deferred)             
    fffff806`867c0000 fffff806`867ca000   vmmemctl   (deferred)             
    fffff806`867f0000 fffff806`86802000   mouclass   (deferred)             
    fffff806`86810000 fffff806`86846000   vm3dmp     (deferred)             
    fffff806`86850000 fffff806`86860000   usbuhci    (deferred)             
    fffff806`86860000 fffff806`868d6000   USBPORT    (deferred)             
    fffff806`868e0000 fffff806`868fb000   HDAudBus   (deferred)             
    fffff806`86900000 fffff806`86961000   portcls    (deferred)             
    fffff806`86970000 fffff806`86991000   drmk       (deferred)             
    fffff806`869a0000 fffff806`869e4000   srvnet     (deferred)             
    Unloaded modules:
    fffff806`84ac0000 fffff806`84acf000   dump_storport.sys
    fffff806`843e0000 fffff806`843ff000   dump_LSI_SAS.sys
    fffff806`85320000 fffff806`8533d000   dump_dumpfve.sys
    fffff806`85c60000 fffff806`85c9c000   WUDFRd.sys
    fffff806`856d0000 fffff806`856e4000   dam.sys 
    fffff806`83df0000 fffff806`83e00000   WdBoot.sys
    fffff806`84ac0000 fffff806`84acf000   hwpolicy.sys

    Then i navigate to the symbol win32k!NtUserSystemParametersInfo in the Disassembly window of windbg and i get following in console:

    DBGHELP: s:\sims\win32k.sys - OK
    DBGENG:  Partial symbol load found image s:\sims\win32k.sys.
    SYMSRV:  PATH: c:\symbols\win32k.pdb\A6279811A1CC4366951AB5EC3BAC5DC51\win32k.pdb
    DBGHELP: win32k - public symbols  

    And still..

    0: kd> uf win32k!NtUserSystemParametersInfo
    No code found, aborting

    ffff823e`56e91b84 ??              ???
    ffff823e`56e91b85 ??              ???
    ffff823e`56e91b86 ??              ???
    ffff823e`56e91b87 ??              ???
    ffff823e`56e91b88 ??              ???
    ffff823e`56e91b89 ??              ???

    So it seems that module is getting messed up somehow, the symbols "loaded", but there is no code or anything still.

    After i tried the method, by following your link. I created a folder on C: volume C:\symbols_kernel,  and shared it in network put the same three files there, and added it to the sympath:

    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*c:\symbols*
    OK                                             \\DESKTOP-H952IE\symbols_kernel
    DBGHELP: Symbol Search Path: srv*c:\symbols*;\\desktop-h952ie\symbols_kernel
    DBGHELP: Symbol Search Path: srv*c:\symbols*;\\desktop-h952ie\symbols_kernel

    Then i did .reload, the output was same as the reload in previous method, and the end result is same.

    From output it appears that all symbols are loaded here is output of x win32k!*

    ffff823e`56ec5bf9 win32k!RtlUpcaseUnicodeToMultiByteN = <no type information>
    ffff823e`56ec5c30 win32k!RtlVirtualUnwind = <no type information>
    ffff823e`56ec5c58 win32k!RtlZeroMemory = <no type information>
    ffff823e`56ec5f86 win32k!_C_specific_handler = <no type information>
    ffff823e`56ec5fad win32k!_chkstk = <no type information>
    ffff823e`56ec5fc5 win32k!itoa = <no type information>
    ffff823e`56ec5fda win32k!itow = <no type information>
    ffff823e`56ec5ff7 win32k!local_unwind = <no type information>
    ffff823e`56ec6016 win32k!setjmp = <no type information>
    ffff823e`56ec6031 win32k!setjmpex = <no type information>
    ffff823e`56ec604c win32k!longjmp = <no type information>

    But still i got this weird thing

    0: kd> !lmi win32k
    Loaded Module Info: [win32k] 
    Cannot read Image header @ ffff823e56e90000
        Load Report: export symbols
    0: kd> !lmi win32kbase
    Loaded Module Info: [win32kbase] 
    Cannot read Image header @ ffff823e56990000
        Load Report: no symbols loaded

    It says that headers are corrupted, but when doing .reload i havent received any messages about corrupted headers in those images at all!

    Sunday, December 11, 2016 4:37 PM
  • Looking at an 'older' Win10. Taking win32k.sys. Symbols load, when in system-process-context, but address-range of win32k.sys also is not accessible (not mapped) there.
    Only setting context to a different (interactive) process - e.g. you mentioned explorer.exe - makes memory available.

    kd> !process
    PROCESS ffffe001b8696840
        SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
        DirBase: 001c8000  ObjectTable: ffffc000c9014000  HandleCount: <Data Not Accessible>
        Image: System
        VadRoot ffffe001b980d3b0 Vads 360 Clone 0 Private 11362. Modified 78664. Locked 0.
    kd> u win32k!NtUserSystemParametersInfo
    fffff960`f3721e10 ??              ???
                                          ^ Memory access error in 'u win32k!NtUserSystemParametersInfo'
    kd> dq win32k!NtUserSystemParametersInfo
    fffff960`f3721e10  ????????`???????? ????????`????????
    fffff960`f3721e20  ????????`???????? ????????`????????
    fffff960`f3721e30  ????????`???????? ????????`????????
    fffff960`f3721e40  ????????`???????? ????????`????????
    fffff960`f3721e50  ????????`???????? ????????`????????
    fffff960`f3721e60  ????????`???????? ????????`????????
    fffff960`f3721e70  ????????`???????? ????????`????????
    fffff960`f3721e80  ????????`???????? ????????`????????

    Trying to set a breakpoint at win32k!NtUserSystemParametersInfo (system-process-context) shows:
    kd> bp win32k!NtUserSystemParametersInfo
    WARNING: Software breakpoints on session addresses can cause bugchecks.
    Use hardware execution breakpoints (ba e) if possible.
    kd> ba e1 win32k!NtUserSystemParametersInfo
    kd> g
    Breakpoint 0 hit
    fffff960`f3721e10 ff2542880000    jmp     qword ptr [win32k!_imp_NtUserSystemParametersInfo (fffff960`f372a658)]
    kd> !process
    PROCESS ffffe001bb4bb840
        SessionId: 1  Cid: 0b04    Peb: 7ff66b1b9000  ParentCid: 024c
        DirBase: 4a1ff000  ObjectTable: ffffc000cc3eac00  HandleCount: <Data Not Accessible>
        Image: ShellExperienceHost.exe
        VadRoot ffffe001bac52be0 Vads 252 Clone 0 Private 3930. Modified 7879. Locked 0.

    Regarding paged-out headers, one can possibly try .pagein (context set to explorer.exe?), when live-debugging.
    (would create a snapshot if VM first).

    kd> .pagein /p ffffe001bb4bb840 fffff960f3190000
    You need to continue execution (press 'g' <enter>) for the pagein to be brought in.  When the debugger breaks in again, the page will be present.
    kd> g
    Break instruction exception - code 80000003 (first chance)
    fffff803`b9fd2300 cc              int     3
    kd> dq fffff960f3190000
    fffff960`f3190000  00000003`00905a4d 0000ffff`00000004

    With kind regards
    Monday, December 12, 2016 12:35 AM