0

I am attempting to debug a crash dump from my VB.NET code which is supposed to run 24-7 a Win7 machine which does not have a debugger. The target on all modules is 32-bit, so I don't know why it appears that it is attempting the 64-bit stuff.

It appears that it is trying to attach to a debugger and failing, so it aborts. I log into the machine and find that it has crashed again, so I make a crashdump.DMP file which stops on the following trace:

wow64.dll!Wow64NotifyDebugger()  + 0x1d bytes   
wow64.dll!HandleRaiseException()  + 0xee bytes  
wow64.dll!Wow64NtRaiseException()  + 0x88 bytes 
wow64.dll!whNtRaiseException()  + 0x15 bytes    
wow64.dll!Wow64SystemServiceEx()  + 0xd7 bytes  
wow64cpu.dll!TurboDispatchJumpAddressEnd()  + 0x2d bytes    
wow64.dll!RunCpuSimulation()  + 0xa bytes   
wow64.dll!Wow64LdrpInitialize()  + 0x429 bytes  
ntdll.dll!LdrpInitializeProcess()  + 0x1936 bytes   
ntdll.dll!string "Enabling heap debug options\n"()  - 0x45fe9 bytes 
ntdll.dll!LdrInitializeThunk()  + 0xe bytes

The same code does not crash at all when a debugger is attached remotely or locally.

Can anyone tell me what to look for? I have compiled the executable as a Debug x86 build so I can attach a debugger at will and view the Debug.Writeline() call output.

SMerrill8
  • 528
  • 4
  • 12
  • How do you create a crash dump if that machine doesn't have a debugger? And what needs to happen that the callstack contains `ntdll.dll!string "Enabling heap debug options\n"()`? I've never seen that before, but maybe there are some Gflags options enabled for this process. – Thomas Weller Feb 24 '14 at 15:27

2 Answers2

0

This is perfectly normal. "WOW64" is the name for the 32-bit on 64-bit compatibility system in Windows, and is involved when you run 32-bit code on a 64-bit Windows system.

nobody
  • 19,814
  • 17
  • 56
  • 77
0

On a 64 bit system, '32 bit windows' runs on an emulation layer, called wow64 (which you see) which translates the calls from 32 bits to 64 bits. So that's normal.

I did not fully understand from your question though: is the crash unexpected/somehow caused by a debugger?

MicroVirus
  • 5,324
  • 2
  • 28
  • 53
  • This is, technically, wrong. 32-bit code is **not** emulated on 64-bit Windows, and calls are not translated. There are both 32-bit and 64-bit versions of the various OS-provided user-mode libraries, and the appropriate ones are loaded depending on whether a process is 32-bit or 64-bit. – nobody Jan 14 '14 at 00:24
  • 2
    @AndrewMedico The translation is done at the level between the user-mode DLLs and the system calls which support them. So yes, you do get a lot of DLLs in the correct bits-setting, but since the system/kernel is 64 bits only, there is a translation going on. Maybe 'emulated' is too strong a word? But in a way, it is, certainly with path redirection, etc., also going on. So there's more happening in wow64 than just translating system calls, hence 'emulated'. – MicroVirus Jan 14 '14 at 00:29