Livekd Could Not Resolve Symbols For Ntoskrnl.Exe

Posted on by admin
Livekd Could Not Resolve Symbols For Ntoskrnl.Exe 6,4/10 3212 reviews
  1. Resolve Symbols

Tweet with a location. You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. Yes,livekd.exe opened up the kd.exe,but after this, it loaded c: windows system32 livekd.dmp, I checked the file is 0kb. Then it loaded symbols,looks the kernel symbols is ok, load the user symbols.

How to Install and Configure WinDBG for BSOD Analysis

WinDBG (Windows DeBuGger) is a Microsoft software tool that is needed to load and analyse the .dmp files that are created when a system BSOD's. The latest version of WinDBG allows debugging of Windows 10, Windows 8.x, Windows 7, and Windows Vista.
This tutorial will show you how to download, install, configure and test WinDBG in preparation for analysing BSOD's.
WinDBG requires .NET Framework 4.6 in order to run. If it's not installed, download it from this location, and install it before downloading and installing WinDBG.

Dumps from C:Windows and C:WindowsMinidump cannot be opened unless you move them to another location first.


Downloading and Installing WinDBG

1. Download the WinDBG sdksetup.exe setup file.
2. Run sdksetup.exe, and specify the installation location (this example uses the default location):

3. Once you have accepted the licence agreement, you will be prompted to select the features to install. Select only the Debugging Tools for Windows option, as shown. Proceed with installation.

4. The debugging tools will be downloaded and installed.
Livekd Could Not Resolve Symbols For Ntoskrnl.Exe


Associate .dmp files with WinDBG

If configured correctly, Windows will write information to a .dmp file when the host system BSOD's. In order to read the information within the .dmp file, it needs to be associated with WinDBG.
1. Open an elevated command prompt by right-clicking on the Windows Start Button and selecting Command Prompt (Admin).
2. Copy the highlighted text below, and paste it into the command prompt window using Ctrl+V and hit enter to change directory to the installation location path.

cdProgram Files (x86)Windows Kits10Debuggersx64

3. Now copy this highlighted text, paste it into the command prompt window, and hit enter to make the association.
4. This is how it looks when executed in the command prompt window.

If done correctly, a new blank instance of WinDBG will open with a confirmation box. WinDBG can now be closed.


Configuring the WinDBG Symbol Path

The symbol path is the location in which WinDBG searches for symbols each time it reads a binary in the BSOD .dmp file. It is critical to get this step correct.
You can specify any location to create a cache/store of downloaded symbols, but I recommend using the default location (as used in this tutorial).
To create and set a symbol path, do the following.
1. Start a blank instance of WinDBG by going to:
2. In the WinDBG panel, go to:
File > Symbol File Path
3. Copy the highlighted text below and paste it into the Symbol Search Path box, and click OK - there is no confirmation.
SRV*C:SymCache*http://msdl.microsoft.com/download/symbols

What that line means is :
  • Create a folder called C:SymCache
  • Download new symbols from the msdl site and save them to C:SymCache

You can specify any path you like, for example SRV*E:My_Symbols*http://msdl.microsoft.com/download/symbolswill also work.
4. Save the symbol path by going to:
File > Save WorkSpace
5. Close WinDBG.

Testing the WinDBG Installation

1. Download this small zip file.
2. Open it, and double click the .dmp file.
3 WinDBG should open automatically and you should see some text appearing in the workspace. Since this is the first .dmp file being read on your system, WinDBG appears to be slow do not interrupt it. What is happening is:

  • A folder called Symcache is being created on C:
  • Symbols are being downloaded and saved to C:Symcache

LivekdThe next time a .dmp is opened, it will be quicker since it already has some symbols. Over time the C:Symcache folder will grow in size as more symbols are added. My current Symcache folder is 1.07GB in size.
You will know the reading of the .dmp file is complete when our output looks like this. Note the breakpoint that I have highlighted in bold text red - that means the .dmp file has been completely read.
To close WinDBG go to File > Exit

You are done. WinDBG has been installed, .dmp file associations created, and symbol path correctly setup.


Resolve Symbols

After using DeBug this is the error I get. I'm currently using Windows 7 Ultimate 64-bit. I am getting the BSOD not long after booting. Any help in the matter would be appreciated.
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:WindowsMinidump113009-22963-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image SystemRootsystem32ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`02c55000 PsLoadedModuleList = 0xfffff800`02e92e50
Debug session time: Mon Nov 30 10:50:35.879 2009 (GMT-8)
System Uptime: 0 days 0:19:33.206
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image SystemRootsystem32ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
.............................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff8e0009e89bc, 1, fffff80002dfa2c2, 5}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Probably caused by : ntoskrnl.exe ( nt+1a52c2 )

Followup: MachineOwner