WinDbg – Welcome to Logging

Performing dump analysis is often times challenging due to the nature of the beast, the UI or the lack thereof :). Some commands are extremely time consuming or like me, just hate scrolling. Also there is only so much that you can view by scrolling.

Logging can be enabled before running commands that produce tons of output. We can also create seperate log files for each command by setting up separate log files before executing each command. From here, we can open the log files in an External Editor like Notepad++ and work with WinDbg on another monitor.

To enable Logging, goto the Edit Menu -> Open/Close Log File…

01

provide the Log file name and click ok. You are all done. Check the Append checkbox to append to an existing file or else the file gets overwritten.

02

After I am done capturing the logs that I need, I come back and Close Open Log File button to close the open file. This disables logging, while I take the file offline for Analysis.

The output can also be copied to excel and formatted to quickly sift though.

.foreach WinDbg

Recursively executing a command in WinDbg is one of the coolest features. In the example below, I used one method table from the output of a !FinalizeQueue command. The FinalizeQueue similar to DumpHeap provides the Method Table, Object Count, Size allocated and the Type.

  • Here 6dcf1230 is one of the Method Tables that I was interested in. I wanted to see if any objects in this table were rooted.
  • myvar is a variable that holds the output of the !DumpHeap command. –short returns only the address. Maybe in another article I will cover how to process the tokens
  • the .echo command needs no introduction, in this content it is used twice to display the address and to separate the output.
.foreach (myvar {!DumpHeap /d -mt 6dcf1230 -short}) {.echo myvar;!gcroot -all myvar;.echo **************;}

 

Fun with WinDbg

I was looking into a Memory Leak  using a win-32 w3wp memory dump. Looking into the FinalizeQueue, I saw System.Data.DataTableCollection object in Gen2. Based on the hunch, I dumped the method table.

01

Dumped a couple of addresses listed above

02

I looked at the dataset and the _list, which brought me to the _items below.

03

The list of items is actually an Array.

04

Dumping the array and reviewing one of the array element(s) as below.

06

Viewing the value for tablename showed the string below. This is one of the objects used to retain Trace data.

07I am not posting the rest of the table structure, but if you are interested, you are welcome to follow the steps. Trace.axd was still active and ended up disabling it. Now back to looking into the actual issue.

Recover Unencrypted Password using WinDBG

Interesting challenge at work today. A colleague of mine wanted to recover a password saved as part of an application’s configuration. The Administrator who had setup this Server was no longer with the Team!

I tried a couple of options, but listing the one that worked.

01-Cognos Password Screen

Launched the Application and had the particular window with the Password prompt open. This Configuration utility was loading each section dynamically.

After the configuration window was loaded and visible, the next step was to take a FULL memory dump (using Process Explorer).

Using WinDBG, searched for the username as shown below. The command does an ASCII Search from the base address to the maximum address (32 bit). Refer to the documentation for 64 bit syntax.

s -a 0 L?80000000 “Your Text”

02-Ascii String Search

Press ALT + 5 or Goto View | Memory menu.

03-View Memory

Typing the address as displayed in the ASCII search above. I was lucky enough to stumble upon a section of memory that had the unencrypted configuration with the username / password right next to each other. The security risk this might have posed is another topic

04-Password

I also noticed that the other database credentials were not part of this memory dump. I had to redo these steps from the beginning to recover the other passwords. There were numerous other passwords that had to be recovered, but that is for another post.