search

goldshtn / msos

Command-line environment a-la WinDbg for executing SOS commands without having SOS available.
Other
96 stars 21 forks source link

Extract context record from WER dumps #49

Closed goldshtn closed 8 years ago

goldshtn commented 8 years ago

Dumps generated by Windows Error Reporting have the original context record and exception record obscured by the WER infrastructure. Here's an example call stack from a WER dump:

0:008> kc
 # 
00 ntdll!NtWaitForMultipleObjects
01 KERNELBASE!WaitForMultipleObjectsEx
02 KERNELBASE!WaitForMultipleObjects
03 kernel32!WerpReportFaultInternal
04 kernel32!WerpReportFault
05 kernel32!BasepReportFault
06 KERNELBASE!UnhandledExceptionFilter
07 ntdll!__RtlUserThreadStart
08 ntdll!_RtlUserThreadStart

To extract the original context, WinDbg provides the .ecxr command. We should be able to do something similar.

goldshtn commented 8 years ago

And here's how to do it: IDebugAdvanced2::Request has a set of commands for getting the faulting thread, the exception record, and the context record.

goldshtn commented 8 years ago

Done in #58 as part of the report command; the GetLastEventInformation() method now returns data based on the WER context.