I am currently having problems with WINDBG. Though I have my symbol path set for srv*C:\symbols*http://msdl.microsoft.com/download/symbols, I never the less am getting the following error:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe - Windows 7 Kernel Version 7601 (Service Pack 1)
After deleting all of my symbol files and re-downloading everything, I went into WinDbg and tried to do a reload on ntdll.dll. The following are the commands I issued:
lkd> !sym noisy
lkd> .reload /f ntdll.dll
"ntdll.dll" was not found in the image list.
Debugger will attempt to load "ntdll.dll" at given base 00000000'00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results. Base address and size overrides can be given as .reload <image.ext>=<base>, size>.
DBGENG: ntdll.dll - Partial symbol image load missing image into.
DBGHELP: No header for ntdll.dll. Searching for dbg file.
DBGHELP: .\ntdll.dbg - file not found.
DBGHELP: .\dll\ntdll.dbg - path not found.
DBGHELP: .\symbols\dll\ntdll.dbg - path not found.
DBGHELP: .ntdll.dll missing debug info. Searching for pdb anyway.
DBGHELP: Can't use symbol server for ntdll.pdb - no header information available.
DBGHELP: ntdll.pdb - file not found
DBGHELP: ntdll - no symbols loaded
Unable to add module at 00000000'00000000
Does anyone out there know why this is occuring?
According to your cmd-prompt, you seem to be using local-kernel debugging?
For windbg falls back to exported symbols for ntkrnlmp.exe, I assume also ntkrnlmp.pdb is not loaded.
When doing a
.reload /f nt
does windbg look for image-file?
Then probably it is a matter of paged-out memory.
Also you may try for more info
!lmi ntdll.dll (though for this one I would expect 'not found' according to your error message)
Sometimes during local-kernel-debugging (which I do not use very often) I have to switch to a user process to load symbols for ntdll.dll
PROCESS 84fcf9a8 SessionId: 1 Cid: 0c5c Peb: 7ffd9000 ParentCid: 060c DirBase: 7c2beac0 ObjectTable: 94401af8 HandleCount: 76. Image: notepad.exe lkd> .process /r /p 84fcf9a8 Implicit process is now 84fcf9a8 Loading User Symbols .......................... DBGHELP: c:\windows\symbols\dll\ntdll.pdb - file not found DBGHELP: c:\windows\symbols\dll\dll\ntdll.pdb - file not found DBGHELP: c:\windows\symbols\dll\symbols\dll\ntdll.pdb - file not found DBGHELP: ntdll - public symbols c:\symbols\mssymbols\ntdll.pdb\6E883...593F26D92\ntdll.pdb
Besides, have you already tried Sysinternals livekd, though it seems to be a little bit more restricted using a static snapshot.
With kind regards