0

I have a 32-bit application (targeting .NET 3.5) hosted on a 64-bit machine. I want to analyze the memory dump of this 32-bit application. I captured the memory dump using 32-bit adplus and cdb. I am loading the memory dump into 32-bit windbg. When I load .net 2.0 sos.dll and .net 2.0 mscorwks.dll into windbg and execute !clrstack, I get the following error: "Failed to find runtime DLL (mscorwks.dll), 0x80004005 Extension commands need mscorwks.dll in order to have something to do." What am I doing wrong?

Info as requested in the comments

ADPlus command line:

adplus -hang -quiet -p 2440 -o C:\temp

WinDbg commands:

0:000> .load <fullpathto>\sos.dll

0:000> lmvm mscorwks
start    end        module name

0:000> .exr -1
ExceptionAddress: 00000000
   ExceptionCode: 80000007 (Wake debugger)
  ExceptionFlags: 00000000
NumberParameters: 0
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
DBK
  • 403
  • 4
  • 13
  • 1
    This means that mscorwks.dll cannot be found in the *target* (the dump). You don't load mscorwks.dll into the debugger. What is the output of "lmvm mscorwks"? You're probably in a situation where .NET 3.5 (which still uses the 2.0 runtime) is not yet initialized in the target process. – Steve Johnson Jan 30 '15 at 01:11
  • 1
    I should also have asked another question. What is the output of "lmvm clr"? – Steve Johnson Jan 30 '15 at 01:31
  • You don't need to load mscorwks.dll into WinDbg. It does nothing there. It should be loaded in your process (which it probably isn't), not in the debugger. Which command did you use to load SOS? Which command did you use to start AdPlus? You might be a victim of the initial breakpoint. What does the output of `.exr -1` show? Please add that information to the question. – Thomas Weller Jan 30 '15 at 15:31
  • @Steve: the output of lmvm mscorwks: start end modulename – DBK Jan 30 '15 at 19:32
  • @thomas:>>Which command did you use to load SOS?.load followed by the location of sos dll. >>Which command did you use to start AdPlus? adplus -hang -quiet -p 2440 -o C:\temp. >What does the output of .exr -1 show? ExceptionAddress: 00000000 ExceptionCode: 80000007 (Wake debugger) ExceptionFlags: 00000000 NumberParameters: 0 – DBK Jan 30 '15 at 19:34
  • Show us the output of "lmvm clr", please. – Steve Johnson Jan 30 '15 at 21:26

1 Answers1

1

The dump indicates that no .NET 2 was loaded. Otherwise the output of lmvm mscorwks should show the details of the .NET runtime, like this:

0:003> lmvm mscorwks
start    end        module name
61bc0000 6216e000   mscorwks   (deferred)             
    Image path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
    ...
    File version:     2.0.50727.5485
    ...

You mentioned that you loaded SOS by full path. If the dump was taken on your machine, you would typically load it using

0:003> .loadby sos mscorwks

In your case, this should already give you the hint that .NET was not loaded:

Unable to find module 'mscorwks'

If you're not so sure about the .NET version, try

.loadby sos clr; *** .NET 4
.loadby sos coreclr; *** Silverlight / Universal Apps

Maybe you had a typo in your AdPlus command line and specified the wrong process ID. If that PID accidentally exists, you got a wrong dump. Use | to check the process name

0:003> |
.  0    id: 1e78    attach  name: E:\...\NET2x32.exe

BTW: The -quiet parameter of ADPlus is obsolete, you can omit it.

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222