张老师,您好!
系统:WINXP SP3; WinDBG 6.11; _NT_SYMBOL_PATH=D:\MyLocalSymbols;SRV*D:\MyLocalSymbols* http://msdl.microsoft.com/download/symbols; ("D:\MyLocalSymbols"是存放Symbols的本地文件夹,已下载并解压"WindowsXP-KB936929-SP3-x86-DEBUG-symbols")
lkd> !lmi ntLoaded Module Info: [nt] Module: ntkrpamp Base Address: 804d8000 Image Name: ntkrpamp.exe Machine Type: 332 (I386) Time Stamp: 4a7834fd Tue Aug 04 21:17:49 2009 Size: 20d000 CheckSum: 1f347dCharacteristics: 12e Debug Data Dirs: Type Size VA Pointer CODEVIEW 25, 9ff0, 95f0 RSDS - GUID: {67723BD9-C3F4-4354-9FA8-B9FFFAEC8C9B} Age: 1, Pdb: ntkrpamp.pdb Image Type: MEMORY - Image read successfully from loaded memory. Symbol Type: PDB - Symbols loaded successfully from symbol server. d:\mylocalsymbols\ntkrpamp.pdb\67723BD9C3F443549FA8B9FFFAEC8C9B1\ntkrpamp.pdb Load Report: public symbols , not source indexed d:\mylocalsymbols\ntkrpamp.pdb\67723BD9C3F443549FA8B9FFFAEC8C9B1\ntkrpamp.pdb
lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP ***************************************************************** Your debugger is not using the correct symbols ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** Type referenced: nt!_LIST_ENTRY *************************************************************Unable to read _LIST_ENTRY @ 805648b8
我公司的笔记本(WINXP SP2)用同样方法却能"lkd>!PROCESS 0 0".在多日的网上找资料和阅读一些文章后,我注意到不同之处:
lkd> !lmi ntLoaded Module Info: [nt] Module: ntoskrnl
我那台不能"lkd>!PROCESS 0 0".的是ntkrpamp,而公司的/网上及文献的是ntoskrnl.不知道是否因为这个关键之处.
而我也试过删掉D:\MyLocalSymbols里ntkrpamp.pdb文件夹和exe文件夹里的ntkrnlmp.pdb,重新启动WINDBG后
DBGHELP: Symbol Search Path: d:\mylocalsymbols;srv*d:\mylocalsymbols* http://msdl.microsoft.com/download/symbolsSYMSRV: d:\mylocalsymbols\ntkrpamp.pdb\67723BD9C3F443549FA8B9FFFAEC8C9B1\ntkrpamp.pdb not foundSYMSRV: ntkrpamp.pdb from http://msdl.microsoft.com/download/symbols: 432396 bytes - copied DBGHELP: nt - public symbols d:\mylocalsymbols\ntkrpamp.pdb\67723BD9C3F443549FA8B9FFFAEC8C9B1\ntkrpamp.pdb
WINDBG竟然自动下载ntkrpamp.pdb
当然结果也是, lkd> !lmi nt Loaded Module Info: [nt] Module: ntkrpamp
同样无法"lkd>!PROCESS 0 0". (!PROCESS只是某个命令,主要想练习您书中的实验.)
非常困惑,恳请张老师能为我解惑!!!谢谢.
张老师,您请看附件!
这是尝试命令"dt nt!_LIST_ENTRY"后的输出,还是不行.
尝试命令".chain",输出倒是跟您写的差不多.
无法在lkd>下".dump /m m.dmp",请提示如何生成mini dump发给您看.
也尝试了修改启动参数,在Boot.ini中加入/nopae 使用不同的内核文件"multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /nopae".不得重启后依然不行.
张老师,您好
我查到如下
"/nopae 禁用物理地址扩展,并且强制boot loader加载非PAE版本的Windows 内核。" "/nopae 选项只在Windows Server 2003 SP1和Windows XP SP2支持。在Windows Vista和之后的Windows中,使用BCDEdit的PAE成员和ForceDisable值。"
再有,刚好我那台能"dt nt!_LIST_ENTRY"的笔记本就是WINXP SP2, lkd> !lmi nt Loaded Module Info: [nt] Module: ntoskrnl
这台不行的是WINXP SP3/ Module:ntkrpamp.
您书里的P186也提到"ntkrpamp.exe"和"ntoskrnl.exe"的区别,但我未能领会,请提示怎么改变内核文件.
1. "找一下c:\windows\minidump目录里看是否有以前产生的dump文件... "
我机器的c:\windows下没有minidump目录.
2. "禁用PAE后,错误信息一样?"
尝试了修改启动参数,在Boot.ini中加入/nopae--"multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /nopae". 重启后依然不行.
3. "如果还有问题,那么把!lmi列出来的pdb文件传上来"
请老师查看附件.
张老师
论坛提示:您的帖子已经被保存,附件因为超过规定大小所以没有上传.
我机器用!lmi nt列出的"ntkrpamp.pdb"有1.47mb.
请查看附件,谢谢!