Livekd Could Not Resolve Symbols For Ntoskrnl.Exe
Tweet with a location. You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. Yes,livekd.exe opened up the kd.exe,but after this, it loaded c: windows system32 livekd.dmp, I checked the file is 0kb. Then it loaded symbols,looks the kernel symbols is ok, load the user symbols.
This tutorial will show you how to download, install, configure and test WinDBG in preparation for analysing BSOD's.
Dumps from C:Windows and C:WindowsMinidump cannot be opened unless you move them to another location first.
1. Download the WinDBG sdksetup.exe setup file.
2. Run sdksetup.exe, and specify the installation location (this example uses the default location):
3. Once you have accepted the licence agreement, you will be prompted to select the features to install. Select only the Debugging Tools for Windows option, as shown. Proceed with installation.
4. The debugging tools will be downloaded and installed.
If configured correctly, Windows will write information to a .dmp file when the host system BSOD's. In order to read the information within the .dmp file, it needs to be associated with WinDBG.
1. Open an elevated command prompt by right-clicking on the Windows Start Button and selecting Command Prompt (Admin).
2. Copy the highlighted text below, and paste it into the command prompt window using Ctrl+V and hit enter to change directory to the installation location path.
3. Now copy this highlighted text, paste it into the command prompt window, and hit enter to make the association.
4. This is how it looks when executed in the command prompt window.
If done correctly, a new blank instance of WinDBG will open with a confirmation box. WinDBG can now be closed.
The symbol path is the location in which WinDBG searches for symbols each time it reads a binary in the BSOD .dmp file. It is critical to get this step correct.
You can specify any location to create a cache/store of downloaded symbols, but I recommend using the default location (as used in this tutorial).
To create and set a symbol path, do the following.
1. Start a blank instance of WinDBG by going to:
2. In the WinDBG panel, go to:
What that line means is :
- Create a folder called C:SymCache
- Download new symbols from the msdl site and save them to C:SymCache
You can specify any path you like, for example SRV*E:My_Symbols*http://msdl.microsoft.com/download/symbolswill also work.
4. Save the symbol path by going to:
1. Download this small zip file.
2. Open it, and double click the .dmp file.
3 WinDBG should open automatically and you should see some text appearing in the workspace. Since this is the first .dmp file being read on your system, WinDBG appears to be slow do not interrupt it. What is happening is:
- A folder called Symcache is being created on C:
- Symbols are being downloaded and saved to C:Symcache
The next time a .dmp is opened, it will be quicker since it already has some symbols. Over time the C:Symcache folder will grow in size as more symbols are added. My current Symcache folder is 1.07GB in size.You will know the reading of the .dmp file is complete when our output looks like this. Note the breakpoint that I have highlighted in bold text red - that means the .dmp file has been completely read.
To close WinDBG go to File > Exit
You are done. WinDBG has been installed, .dmp file associations created, and symbol path correctly setup.
Resolve Symbols
After using DeBug this is the error I get. I'm currently using Windows 7 Ultimate 64-bit. I am getting the BSOD not long after booting. Any help in the matter would be appreciated.
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:WindowsMinidump113009-22963-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image SystemRootsystem32ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`02c55000 PsLoadedModuleList = 0xfffff800`02e92e50
Debug session time: Mon Nov 30 10:50:35.879 2009 (GMT-8)
System Uptime: 0 days 0:19:33.206
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image SystemRootsystem32ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
.............................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {fffff8e0009e89bc, 1, fffff80002dfa2c2, 5}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Probably caused by : ntoskrnl.exe ( nt+1a52c2 )
Followup: MachineOwner