none
Why can't symchk.exe find ntkrpamp.exe symbol like windbg.exe do? Is it bug? RRS feed

  • Question

  • Why can't symchk.exe find ntkrpamp.exe symbol like windbg.exe do?  Is it bug?

    Symchk.exe can't find ntkrpamp.exe symbol, when I execute below command.

    but windbg.exe can find/download ntkrpamp.exe symbol.

    Please help me.

    "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symchk.exe" /id ..\637b0c812e906241f38a2c1bc6d922b5e83868fa.DMP /s srv**https://msdl.microsoft.com/download/symbols /odb
    ...
    SYMCHK: ntkrpamp.exe         FAILED - Can't find binary in path.
    ...

    0: kd> lmvm nt
    Browse full module list
    start end module name
    81274000 81917000 nt (pdb symbols) c:\symbols\ntkrpamp.pdb\7326E2450AD74812976D3172E412A8F91\ntkrpamp.pdb
    Loaded symbol image file: ntkrpamp.exe
    Image path: ntkrpamp.exe
    Image name: ntkrpamp.exe
    Browse all global symbols functions data
    Timestamp: Sat Mar 3 12:31:49 2018 (5A9A1725)
    CheckSum: 0064149F
    ImageSize: 006A3000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4



    Tuesday, April 17, 2018 5:19 AM

Answers

  • Can not complain.
    If windbg can load module and pdb (e.g. kernel-minidump from a different machine):
    3: kd> lmvm nt
    Browse full module list
    start             end                 module name
    fffff800`04257000 fffff800`04840000   nt         (pdb symbols)          c:\mssymbols\ntkrnlmp.pdb\08E4179855A44D5FB05650B68B9369412\ntkrnlmp.pdb
        Loaded symbol image file: ntkrnlmp.exe
        Mapped memory image file: c:\mssymbols\ntoskrnl.exe\4D9E95175e9000\ntoskrnl.exe
        Image path: ntkrnlmp.exe
        Image name: ntkrnlmp.exe
        Browse all global symbols  functions  data
        Timestamp:        Fri Apr  8 06:54:47 2011 (4D9E9517)
        CheckSum:         0055ADA9
        ImageSize:        005E9000
        File version:     6.1.7601.17591
        Product version:  6.1.7601.17591
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        1.0 App
        File date:        00000000.00000000
        Translations:     0409.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     ntkrnlmp.exe
        OriginalFilename: ntkrnlmp.exe
        ProductVersion:   6.1.7601.17591
        FileVersion:      6.1.7601.17591 (win7sp1_gdr.110407-1603)
        FileDescription:  NT Kernel & System
        LegalCopyright:   © Microsoft Corporation. All rights reserved.

    An then doing e.g. symchk (say with 'Image name' - for testing)
    "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symchk.exe" /v /id 052811-19375-01.dmp /s srv*c:\Temp*https://ms
    dl.microsoft.com/download/symbols /od /fm ntkrnlmp.exe
    [SYMCHK] Searching for symbols to modules in dump file(s) using path srv*c:\Temp*https://msdl.microsoft.com/download/symbols
    SYMCHK: ntkrnlmp.exe         FAILED - Can't find binary in path.
    SYMCHK: FAILED files = 1
    SYMCHK: PASSED + IGNORED files = 0

    symchk succeeds in downloading respective module 'ntoskrnl.exe' - the one from windbgs 'Mapped memory image file', for it is a dump of a different machine - and matching symbol file from MS-symbol-server - though symchk claims the opposite.

    With kind regards

    • Marked as answer by Dogeyom.yang Wednesday, April 18, 2018 5:14 AM
    Tuesday, April 17, 2018 10:20 AM