Windbg finds the problematic stack and stack trace unhandledexceptionfilter

1. When the unhandledexceptionfilter function is called, no exception handler is defined to handle the exception. A function usually passes an exception to the ntdll. dll file, which will capture and try to process it.

In some cases, you can see the unhandledexceptionfilter function called by a thread holding a lock point. In these cases, you can follow the steps in the DLL that identified the exception.
Windbg.exe open the dump file
1. download and install the debugging program. To download the debugging program, visit the following Microsoft Website:
Microsoft debugging tool
Http://www.microsoft.com/whdc/devtools/ddk/default.mspx (http://www.microsoft.com/whdc/devtools/ddk/default.mspx)
2. go to the windbg directory and use the tool CDB to generate the dump file: CDB-Pv-PN process name-c ". dump/m c:/file name. DMP; q ", for example, CDB-Pv-PN assumer.exe-c ". dump/m c:/explorer. DMP; q"
3. Open the installation location folder of the debugger, and double-click windbg.exe to start the debugger.
4. Click Open Fault dump (or press Ctrl + D) on the File menu, and then select you to view the dump file.
'Abnormal stack uses windbg.exe
1. Open the. dmp file in windbg.exe.
2. Make sure to point to the symbolic path in the correct position. For details about how to perform this operation, visit the following Microsoft Website:
How to obtain symbols
Http://www.microsoft.com/whdc/devtools/ddk/default.mspx (http://www.microsoft.com/whdc/devtools/ddk/default.mspx)
3. Type ~ at the command prompt ~ * Kb must list all threads in the process.
4. Identify the function call thread Kernel32! Unhandledexceptionfilter. It looks similar to the following:
120 ID: f0f0f0f0. A1c suspend: 1 Teb 7ff72000 unfrozen

Childebp retaddr ARGs to child

09a8f334 77eb9b46 415244c 00000001 00000000 NTDLL! Zwwaitforsingleobject + 0xb [i386/usrstubs. ASM @ 2004]

09a8f644 77ea7e7a 09a8f66c 77e861ae 09a8f674 Kernel32! Unhandledexceptionfilter + 0x2b5 D:/NT/private/Windows/base/client/thread. c @ 1753]

09a8ffec 00000000 787bf0b8 0216fe94 00000000 Kernel32! Basethreadstart + 0x65d:/NT/private/Windows/base/client/support. c @ 453]

 

5. Switch to this thread (in this example, the thread is "~ 120 s ").

6. The first parameter for displaying memory content is indicated by Kernel32 at the specified location! Unhandledexceptionfilter uses the first dd parameter. This points to the prediction_pointers Structure
0: 120> dd 09a8f66c

09a8f66c 09a8f738 09a8f754 09a8f698 77f8f45c

09a8f67c 09a8f738 09a8ffdc 09a8f754 09a8f710

09a8f68c 09a8ffdc 77f8f5b5 09a8ffdc 09a8f720

09a8f69c 77f8f3fa 09a8f738 09a8ffdc 09a8f754

09a8f6ac 09a8f710 77e8615b 09a8fad4 00000000

09a8f6bc 09a8f738 74a25336 09a8f6e0 09a8f910

09a8f6cc 01dc8ad8 0d788918 00000001 018d1f28

09a8f6dc 00000001 61746164 7073612e 09a8f71c

 

 

7. The first DWORD value indicates the exception record. To obtain information about the exception type, run the following command prompt:
. EXR first DWORD from step 6
0: 120>. EXR 09a8f738

Exceptionaddress: 78011f32 (msvcrt! Strnicmp + 0x00000092)

Predictioncode: c0000005

Predictionflags: 00000000

Numberparameters: 2

Parameter [0]: 00000000

Parameter [1]: 00000000

Attempt to read from address 00000000

 

8. The second DWORD value is the context record. To obtain the context information, run the following command at the command prompt:
. Cxr second DWORD from step 6
0: 120>. cxr export eax = export EBX = 7803cb28 ECx = 00000000 edX = 00000000 ESI = 00000000 EDI = 09a8fad4 EIP = 78011f32 ESP = 09a8fa20 EBP = 09a8fa2c iopl = 0 NV up EI ng NZ Na Po NC cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00010286

Msvcrt! Strnicmp + 92: 78011f32 8a06 mov Al, [esi]

 

9. Run the kV command to obtain the actual abnormal call stack. This helps you identify actual problems that may not be correctly handled
0: 120> kV

Childebp retaddr ARGs to child

Warning: Stack unwind Information not available. Following frames may be wrong.

09a8fa2c 780119ab 09a8fad4 00000000 09a8faa8 msvcrt! Strnicmp + 0x92

09a8fa407801197c 09a8fad4 00000000 6d7044fd msvcrt! Stricmp + 0x3c

09a8fa80 6e5a6ef6 09a8fad4 2193d68d 00e5e298 msvcrt! Stricmp + 0xd

09a8fa94 6d7043bf 09a8fad4 09a8faa8 0000001c iisrtl! Clkrhashtable: findkey + 0x59 (FPO: [2, 0, 1])

09a8faac 749fc22d 09a8fad4 01d553b0 0000001c isatq! Cdirmonitor: findentry + 0x1e (FPO: [non-FPO]) [D:/NT/private/inet/IIS/SVCs/Infocomm/ATQ/dirmon. cpp @ 884]

09a8fac4 749fd1cb 09a8fad4 09a8fb10 525c3a46 asp! Registeraspdirmonitorentry + 0x6e (FPO: [EBP 0x09a8fb08] [534, 4]) [D:/NT/private/inet/IIS/SVCs/CMP/asp/aspdmon. cpp @]

09a8fb08 749fcdd6 00000000 09a8fcbc 018d1f28 asp! Ctemplatecachemanager: registertemplateforchangenotification + 0x8a (FPO: [non-FPO]) [D:/NT/private/inet/IIS/SVCs/CMP/asp/cachemgr. cpp @ 621]

09a8fb3c 74a08bfe 00000000 10900fa 74a30958 asp! Ctemplatecachemanager: LOAD + 0x382 (FPO: [non-FPO]) [D:/NT/private/inet/IIS/SVCs/CMP/asp/cachemgr. CPP 364]

09a8fc68 74a0d4c9 04c12518 018d1f28 09a8fcbc asp! Loadtemplate + 0x42 (FPO: [non-FPO]) [D:/NT/private/inet/IIS/SVCs/CMP/asp/exec. cpp @ 1037]

09a8fcc0 74a2c3e5 00000000 0637ee38 09a8fd58 asp! Chitobj: viperasynccallback + 0x3e8 (FPO: [non-FPO]) [D:/NT/private/inet/IIS/SVCs/CMP/asp/hitobj. cpp @ 2414]

09a8fcd8 787c048a 00000000 77aa1b03 01e91ed8 asp! Cviperasyncrequest: oncall + 0x3f (FPO: [non-FPO]) [D:/NT/private/inet/IIS/SVCs/CMP/asp/viperint. cpp @ 194]

09a8fce0 77aa1b03 01e91ed8 77a536d8 00000000 comsvcs! Staactivityworkhelper + 0xa (FPO: [1, 0, 0]) 09a8fd24 77aa1927 000752f8 000864dc 787c01_ole32! Enterforcallback + 0x6a (FPO: [non-FPO]) [D:/NT/private/OLE32/COM/dcomrem/crossctx. cxx @ 1759]

09a8fe50 77aa17ea 000864dc 787c010901e91ed8 OLE32! Switchforcallback + 0x12b (FPO: [non-FPO]) [D:/NT/private/OLE32/COM/dcomrem/crossctx. cxx @ 1644]

09a8fe78 77aa60c1 000864dc 787c010901e91ed8 OLE32! Export mcallback + 0x50 (FPO: [non-FPO]) [D:/NT/private/OLE32/COM/dcomrem/crossctx. cxx @ 1559]

09a8fed4 77aa5fa6 04f2b4c0 787c010901e91ed8 OLE32! Cobjectcontext: internalcontextcallback + 0xf5 (FPO: [non-FPO]) [D:/NT/private/OLE32/COM/dcomrem/context. cxx @ 3866]

09a8fef4 787bd3c3 04f2b4c0 787c010901e91ed8 OLE32! Cobjectcontext: docallback + 0x1a (FPO: [non-FPO]) [D:/NT/private/OLE32/COM/dcomrem/context. cxx @ 3746]

09a8ff24 787bf373 0216fb3c 00000007 09a8ffec comsvcs! Staactivitywork: dowork + 0x73 (FPO: [0, 4, 2])

09a8ffb4 77e8758a 0216fe94 0216fb3c 00000007 comsvcs! Stathread: stathreadworker + 0x2bb (FPO: [EBP 0x09a8ffec] [1, 31, 4])

09a8ffec 00000000 787bf0b8 0216fe94 00000000 Kernel32! Basethreadstart + 0x52 (FPO: [non-FPO]) [D:/NT/private/Windows/base/client/support. c @ 451]

 

_ Except_handler Function

1. In some cases, there is no unhandledexceptionfilter in the stack, but only the _ handler function. This is the seh exception handling function. Function prototype: prediction_disposition _ cdecl _ effect_handler (
Struct _ prediction_record * predictionrecord,
Void * establisherframe,
Struct _ context * contextrecord,
Void * dispatchercontext );
The first parameter of this function is a pointer to the prediction_record structure. This structure is defined in winnt. h as follows:
Typedef struct _ exception_record {
DWORD exceptioncode;
DWORD exceptionflags;
Struct _ prediction_record * predictionrecord;
Pvoid exceptionaddress;
DWORD numberparameters;
DWORD predictioninformation [prediction_maximum_parameters];
} Prediction_record;
The second parameter of the _ effect_handler function is a pointer to the establisher frame structure.
The third parameter of the _ handler callback function is a pointer to the context structure.
Typedef struct _ Context
{
DWORD contextflags;
DWORD dr0;
DWORD DR1;
DWORD DR2;
DWORD dr3;
DWORD dr6;
DWORD dr7;
Floating_save_area floatsave;
DWORD seggs;
DWORD segfs;
DWORD seges;
DWORD segds;
Dword edi;
Dword esi;
Dword ebx;
DWORD edX;
DWORD ECx;
DWORD eax;
Dword ebp;
Dword eip;
DWORD segcs;
DWORD eflags;
Dword esp;
DWORD segss;
} Context;
The fourth parameter of the _ except_handler callback function is called dispatchercontext.

2. When analyzing the dump file, type ~ * Kb must list all threads in the process.

 
3. Identify the function call thread Kernel32! _ Handler. It looks similar to the following:

9 ID: 918.117c suspend: 2 Teb: 7ffd8000 unfrozen

 

Childebp retaddr ARGs to child

085df400 7c9232a8 085df4ec 085 dffdc 085df50c Kernel32! _ Effect_handler3 + 0x61

085df424 7c92327a 085df4ec 085 dffdc 085df50c NTDLL! Executehandler2 + 0x26

085df4d4 7c92e48a 00000000 085df50c 085df4ec NTDLL! Executehandler + 0x24

 

4. Switch to this thread (in this example, the thread is "~ 9 S ").

 
5. Kernel32! ! The DWORD Value of the first parameter _ except_handler indicates the exception record. To obtain information about the exception type, run the following command prompt:

. EXR first DWORD from Step 5

0: 009>. EXR 085df4ec

Exceptionaddress: 7c812afb (Kernel32! Raiseexception + 0x00000053)

Exceptioncode: e06d7363 (C ++ eh exception)

Predictionflags: 00000001

Numberparameters: 3

Parameter [0]: 19930520

Parameter [1]: 085df874

Parameter [2]: 006c010c

 

6. Kernel32! ! The DWORD Value of the third parameter _ except_handler is the context record. To obtain the context information, run the following command at the command prompt:
. Cxr second DWORD from step 6
0: 009>. cxr 085df50c

Eax = 085df7dc EBX = 4155d34 ECx = 00000000 edX = 01240608 ESI = 085df864 EDI = 00100000eip = 450esp = 085df7d8 EBP = 085df82c iopl = 0 NV up ei pl nz na PE NCCs = 001b SS = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00000206kernel32! Raiseexception + 0x53: 7c812afb 5E pop ESI

 

7. Run the kV command to obtain the actual abnormal call stack. This helps you identify actual problems that may not be correctly handled
0: 009> kV

Childebp retaddr ARGs to child

Warning: Stack unwind Information not available. Following frames may be wrong.

09a8fa2c 780119ab 09a8fad4 00000000 09a8faa8 msvcrt! Strnicmp + 0x92

09a8fa407801197c 09a8fad4 00000000 6d7044fd msvcrt! Stricmp + 0x3c

09a8fa80 6e5a6ef6 09a8fad4 2193d68d 00e5e298 msvcrt! Stricmp + 0xd