\n"
},
{
"path": "CNAME",
"content": "wtrace.net"
},
{
"path": "Gemfile",
"content": "source \"https://rubygems.org\"\n# Hello! This is where you manage which Jekyll version is used to run.\n# When you want to use a different version, change it below, save the\n# file and run `bundle install`. Run Jekyll with `bundle exec`, like so:\n#\n# bundle exec jekyll serve\n#\n# This will help ensure the proper Jekyll version is running.\n# Happy Jekylling!\n# gem \"jekyll\", \"~> 4.2.0\"\n# This is the default theme for new Jekyll sites. You may change this to anything you like.\ngem \"minima\", \"~> 2.5\"\n# gem \"jekyll-theme-cayman\", \"~> 0.2.0\"\n# If you want to use GitHub Pages, remove the \"gem \"jekyll\"\" above and\n# uncomment the line below. To upgrade, run `bundle update github-pages`.\ngem \"github-pages\", group: :jekyll_plugins\n# If you have any plugins, put them here!\ngroup :jekyll_plugins do\n gem \"jekyll-feed\", \"~> 0.12\"\nend\n\n# Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem\n# and associated library.\nplatforms :mingw, :x64_mingw, :mswin, :jruby do\n gem \"tzinfo\", \"~> 1.2\"\n gem \"tzinfo-data\"\nend\n\n# Performance-booster for watching directories on Windows\ngem \"wdm\", \"~> 0.1.1\", :platforms => [:mingw, :x64_mingw, :mswin]\n\ngem \"webrick\", \"~> 1.7\"\n\ngem \"json\", \"~> 2.7\"\n"
},
{
"path": "LICENSE",
"content": "Attribution 4.0 International\n\n=======================================================================\n\nCreative Commons Corporation (\"Creative Commons\") is not a law firm and\ndoes not provide legal services or legal advice. Distribution of\nCreative Commons public licenses does not create a lawyer-client or\nother relationship. Creative Commons makes its licenses and related\ninformation available on an \"as-is\" basis. Creative Commons gives no\nwarranties regarding its licenses, any material licensed under their\nterms and conditions, or any related information. Creative Commons\ndisclaims all liability for damages resulting from their use to the\nfullest extent possible.\n\nUsing Creative Commons Public Licenses\n\nCreative Commons public licenses provide a standard set of terms and\nconditions that creators and other rights holders may use to share\noriginal works of authorship and other material subject to copyright\nand certain other rights specified in the public license below. The\nfollowing considerations are for informational purposes only, are not\nexhaustive, and do not form part of our licenses.\n\n Considerations for licensors: Our public licenses are\n intended for use by those authorized to give the public\n permission to use material in ways otherwise restricted by\n copyright and certain other rights. Our licenses are\n irrevocable. Licensors should read and understand the terms\n and conditions of the license they choose before applying it.\n Licensors should also secure all rights necessary before\n applying our licenses so that the public can reuse the\n material as expected. Licensors should clearly mark any\n material not subject to the license. This includes other CC-\n licensed material, or material used under an exception or\n limitation to copyright. More considerations for licensors:\n wiki.creativecommons.org/Considerations_for_licensors\n\n Considerations for the public: By using one of our public\n licenses, a licensor grants the public permission to use the\n licensed material under specified terms and conditions. If\n the licensor's permission is not necessary for any reason--for\n example, because of any applicable exception or limitation to\n copyright--then that use is not regulated by the license. Our\n licenses grant only permissions under copyright and certain\n other rights that a licensor has authority to grant. Use of\n the licensed material may still be restricted for other\n reasons, including because others have copyright or other\n rights in the material. A licensor may make special requests,\n such as asking that all changes be marked or described.\n Although not required by our licenses, you are encouraged to\n respect those requests where reasonable. More considerations\n for the public:\n wiki.creativecommons.org/Considerations_for_licensees\n\n=======================================================================\n\nCreative Commons Attribution 4.0 International Public License\n\nBy exercising the Licensed Rights (defined below), You accept and agree\nto be bound by the terms and conditions of this Creative Commons\nAttribution 4.0 International Public License (\"Public License\"). To the\nextent this Public License may be interpreted as a contract, You are\ngranted the Licensed Rights in consideration of Your acceptance of\nthese terms and conditions, and the Licensor grants You such rights in\nconsideration of benefits the Licensor receives from making the\nLicensed Material available under these terms and conditions.\n\n\nSection 1 -- Definitions.\n\n a. Adapted Material means material subject to Copyright and Similar\n Rights that is derived from or based upon the Licensed Material\n and in which the Licensed Material is translated, altered,\n arranged, transformed, or otherwise modified in a manner requiring\n permission under the Copyright and Similar Rights held by the\n Licensor. For purposes of this Public License, where the Licensed\n Material is a musical work, performance, or sound recording,\n Adapted Material is always produced where the Licensed Material is\n synched in timed relation with a moving image.\n\n b. Adapter's License means the license You apply to Your Copyright\n and Similar Rights in Your contributions to Adapted Material in\n accordance with the terms and conditions of this Public License.\n\n c. Copyright and Similar Rights means copyright and/or similar rights\n closely related to copyright including, without limitation,\n performance, broadcast, sound recording, and Sui Generis Database\n Rights, without regard to how the rights are labeled or\n categorized. For purposes of this Public License, the rights\n specified in Section 2(b)(1)-(2) are not Copyright and Similar\n Rights.\n\n d. Effective Technological Measures means those measures that, in the\n absence of proper authority, may not be circumvented under laws\n fulfilling obligations under Article 11 of the WIPO Copyright\n Treaty adopted on December 20, 1996, and/or similar international\n agreements.\n\n e. Exceptions and Limitations means fair use, fair dealing, and/or\n any other exception or limitation to Copyright and Similar Rights\n that applies to Your use of the Licensed Material.\n\n f. Licensed Material means the artistic or literary work, database,\n or other material to which the Licensor applied this Public\n License.\n\n g. Licensed Rights means the rights granted to You subject to the\n terms and conditions of this Public License, which are limited to\n all Copyright and Similar Rights that apply to Your use of the\n Licensed Material and that the Licensor has authority to license.\n\n h. Licensor means the individual(s) or entity(ies) granting rights\n under this Public License.\n\n i. Share means to provide material to the public by any means or\n process that requires permission under the Licensed Rights, such\n as reproduction, public display, public performance, distribution,\n dissemination, communication, or importation, and to make material\n available to the public including in ways that members of the\n public may access the material from a place and at a time\n individually chosen by them.\n\n j. Sui Generis Database Rights means rights other than copyright\n resulting from Directive 96/9/EC of the European Parliament and of\n the Council of 11 March 1996 on the legal protection of databases,\n as amended and/or succeeded, as well as other essentially\n equivalent rights anywhere in the world.\n\n k. You means the individual or entity exercising the Licensed Rights\n under this Public License. Your has a corresponding meaning.\n\n\nSection 2 -- Scope.\n\n a. License grant.\n\n 1. Subject to the terms and conditions of this Public License,\n the Licensor hereby grants You a worldwide, royalty-free,\n non-sublicensable, non-exclusive, irrevocable license to\n exercise the Licensed Rights in the Licensed Material to:\n\n a. reproduce and Share the Licensed Material, in whole or\n in part; and\n\n b. produce, reproduce, and Share Adapted Material.\n\n 2. Exceptions and Limitations. For the avoidance of doubt, where\n Exceptions and Limitations apply to Your use, this Public\n License does not apply, and You do not need to comply with\n its terms and conditions.\n\n 3. Term. The term of this Public License is specified in Section\n 6(a).\n\n 4. Media and formats; technical modifications allowed. The\n Licensor authorizes You to exercise the Licensed Rights in\n all media and formats whether now known or hereafter created,\n and to make technical modifications necessary to do so. The\n Licensor waives and/or agrees not to assert any right or\n authority to forbid You from making technical modifications\n necessary to exercise the Licensed Rights, including\n technical modifications necessary to circumvent Effective\n Technological Measures. For purposes of this Public License,\n simply making modifications authorized by this Section 2(a)\n (4) never produces Adapted Material.\n\n 5. Downstream recipients.\n\n a. Offer from the Licensor -- Licensed Material. Every\n recipient of the Licensed Material automatically\n receives an offer from the Licensor to exercise the\n Licensed Rights under the terms and conditions of this\n Public License.\n\n b. No downstream restrictions. You may not offer or impose\n any additional or different terms or conditions on, or\n apply any Effective Technological Measures to, the\n Licensed Material if doing so restricts exercise of the\n Licensed Rights by any recipient of the Licensed\n Material.\n\n 6. No endorsement. Nothing in this Public License constitutes or\n may be construed as permission to assert or imply that You\n are, or that Your use of the Licensed Material is, connected\n with, or sponsored, endorsed, or granted official status by,\n the Licensor or others designated to receive attribution as\n provided in Section 3(a)(1)(A)(i).\n\n b. Other rights.\n\n 1. Moral rights, such as the right of integrity, are not\n licensed under this Public License, nor are publicity,\n privacy, and/or other similar personality rights; however, to\n the extent possible, the Licensor waives and/or agrees not to\n assert any such rights held by the Licensor to the limited\n extent necessary to allow You to exercise the Licensed\n Rights, but not otherwise.\n\n 2. Patent and trademark rights are not licensed under this\n Public License.\n\n 3. To the extent possible, the Licensor waives any right to\n collect royalties from You for the exercise of the Licensed\n Rights, whether directly or through a collecting society\n under any voluntary or waivable statutory or compulsory\n licensing scheme. In all other cases the Licensor expressly\n reserves any right to collect such royalties.\n\n\nSection 3 -- License Conditions.\n\nYour exercise of the Licensed Rights is expressly made subject to the\nfollowing conditions.\n\n a. Attribution.\n\n 1. If You Share the Licensed Material (including in modified\n form), You must:\n\n a. retain the following if it is supplied by the Licensor\n with the Licensed Material:\n\n i. identification of the creator(s) of the Licensed\n Material and any others designated to receive\n attribution, in any reasonable manner requested by\n the Licensor (including by pseudonym if\n designated);\n\n ii. a copyright notice;\n\n iii. a notice that refers to this Public License;\n\n iv. a notice that refers to the disclaimer of\n warranties;\n\n v. a URI or hyperlink to the Licensed Material to the\n extent reasonably practicable;\n\n b. indicate if You modified the Licensed Material and\n retain an indication of any previous modifications; and\n\n c. indicate the Licensed Material is licensed under this\n Public License, and include the text of, or the URI or\n hyperlink to, this Public License.\n\n 2. You may satisfy the conditions in Section 3(a)(1) in any\n reasonable manner based on the medium, means, and context in\n which You Share the Licensed Material. For example, it may be\n reasonable to satisfy the conditions by providing a URI or\n hyperlink to a resource that includes the required\n information.\n\n 3. If requested by the Licensor, You must remove any of the\n information required by Section 3(a)(1)(A) to the extent\n reasonably practicable.\n\n 4. If You Share Adapted Material You produce, the Adapter's\n License You apply must not prevent recipients of the Adapted\n Material from complying with this Public License.\n\n\nSection 4 -- Sui Generis Database Rights.\n\nWhere the Licensed Rights include Sui Generis Database Rights that\napply to Your use of the Licensed Material:\n\n a. for the avoidance of doubt, Section 2(a)(1) grants You the right\n to extract, reuse, reproduce, and Share all or a substantial\n portion of the contents of the database;\n\n b. if You include all or a substantial portion of the database\n contents in a database in which You have Sui Generis Database\n Rights, then the database in which You have Sui Generis Database\n Rights (but not its individual contents) is Adapted Material; and\n\n c. You must comply with the conditions in Section 3(a) if You Share\n all or a substantial portion of the contents of the database.\n\nFor the avoidance of doubt, this Section 4 supplements and does not\nreplace Your obligations under this Public License where the Licensed\nRights include other Copyright and Similar Rights.\n\n\nSection 5 -- Disclaimer of Warranties and Limitation of Liability.\n\n a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE\n EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS\n AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF\n ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,\n IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,\n WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR\n PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,\n ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT\n KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT\n ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.\n\n b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE\n TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,\n NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,\n INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,\n COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR\n USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN\n ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR\n DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR\n IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.\n\n c. The disclaimer of warranties and limitation of liability provided\n above shall be interpreted in a manner that, to the extent\n possible, most closely approximates an absolute disclaimer and\n waiver of all liability.\n\n\nSection 6 -- Term and Termination.\n\n a. This Public License applies for the term of the Copyright and\n Similar Rights licensed here. However, if You fail to comply with\n this Public License, then Your rights under this Public License\n terminate automatically.\n\n b. Where Your right to use the Licensed Material has terminated under\n Section 6(a), it reinstates:\n\n 1. automatically as of the date the violation is cured, provided\n it is cured within 30 days of Your discovery of the\n violation; or\n\n 2. upon express reinstatement by the Licensor.\n\n For the avoidance of doubt, this Section 6(b) does not affect any\n right the Licensor may have to seek remedies for Your violations\n of this Public License.\n\n c. For the avoidance of doubt, the Licensor may also offer the\n Licensed Material under separate terms or conditions or stop\n distributing the Licensed Material at any time; however, doing so\n will not terminate this Public License.\n\n d. Sections 1, 5, 6, 7, and 8 survive termination of this Public\n License.\n\n\nSection 7 -- Other Terms and Conditions.\n\n a. The Licensor shall not be bound by any additional or different\n terms or conditions communicated by You unless expressly agreed.\n\n b. Any arrangements, understandings, or agreements regarding the\n Licensed Material not stated herein are separate from and\n independent of the terms and conditions of this Public License.\n\n\nSection 8 -- Interpretation.\n\n a. For the avoidance of doubt, this Public License does not, and\n shall not be interpreted to, reduce, limit, restrict, or impose\n conditions on any use of the Licensed Material that could lawfully\n be made without permission under this Public License.\n\n b. To the extent possible, if any provision of this Public License is\n deemed unenforceable, it shall be automatically reformed to the\n minimum extent necessary to make it enforceable. If the provision\n cannot be reformed, it shall be severed from this Public License\n without affecting the enforceability of the remaining terms and\n conditions.\n\n c. No term or condition of this Public License will be waived and no\n failure to comply consented to unless expressly agreed to by the\n Licensor.\n\n d. Nothing in this Public License constitutes or may be interpreted\n as a limitation upon, or waiver of, any privileges and immunities\n that apply to the Licensor or You, including from the legal\n processes of any jurisdiction or authority.\n\n\n=======================================================================\n\nCreative Commons is not a party to its public\nlicenses. Notwithstanding, Creative Commons may elect to apply one of\nits public licenses to material it publishes and in those instances\nwill be considered the “Licensor.” The text of the Creative Commons\npublic licenses is dedicated to the public domain under the CC0 Public\nDomain Dedication. Except for the limited purpose of indicating that\nmaterial is shared under a Creative Commons public license or as\notherwise permitted by the Creative Commons policies published at\ncreativecommons.org/policies, Creative Commons does not authorize the\nuse of the trademark \"Creative Commons\" or any other trademark or logo\nof Creative Commons without its prior written consent including,\nwithout limitation, in connection with any unauthorized modifications\nto any of its public licenses or any other arrangements,\nunderstandings, or agreements concerning use of licensed material. For\nthe avoidance of doubt, this paragraph does not form part of the\npublic licenses.\n\nCreative Commons may be contacted at creativecommons.org.\n\n"
},
{
"path": "README.md",
"content": "\nDebug Recipes\n=============\n\nIt is a repository of my field notes collected while debugging various .NET application problems on Windows (mainly) and Linux. They do not contain much theory but rather describe tools and scripts with some usage examples.\n\n:floppy_disk: Old and no longer updated recipes are in the [archived branch](https://github.com/lowleveldesign/debug-recipes/tree/archive).\n\nThe recipes are available in the guides folder and at **[wtrace.net](https://wtrace.net/guides)** (probably the best way to view them).\n\n## Troubleshooting guides\n\n- [Diagnosing .NET applications](guides/diagnosing-dotnet-apps.md)\n- [Diagnosing native Windows applications](guides/diagnosing-native-windows-apps.md)\n- [COM troubleshooting](guides/com-troubleshooting)\n\n## Tools usage guides\n\n- [WinDbg usage guide](guides/windbg.md)\n- [Event Tracing for Windows (ETW)](guides/etw.md)\n- [Using withdll and detours to trace Win API calls](guides/using-withdll-and-detours-to-trace-winapi.md)\n- [Windows Performance Counters](guides/windows-performance-counters.md)\n- [Network tracing tools](guides/network-tracing-tools.md)\n"
},
{
"path": "_config.yml",
"content": "title: wtrace.net\nemail: contact@wtrace.net\ndescription: >- # this means to ignore newlines until \"baseurl:\"\n Tools and materials for software and system troubleshooting \nbaseurl: \"\" # the subpath of your site, e.g. /blog\nurl: \"https://wtrace.net\" # the base hostname & protocol for your site, e.g. http://example.com\n\nyoutube_username: \"@lowleveldesign\"\ngithub_username: lowleveldesign\n\npermalink: pretty\n\ndefaults:\n - \n scope:\n path: \"\"\n type: \"posts\"\n values:\n permalink: /:year/:month/:day/:title\n\n# Build settings\ntheme: minima\nplugins:\n - jekyll-feed\n - jekyll-seo-tag\n - jekyll-redirect-from\n - jekyll-sitemap\n - jemoji\n\nheader_pages:\n - guides.md\n - tools.md\n - about.md\n"
},
{
"path": "_includes/footer.html",
"content": "\n"
},
{
"path": "_includes/head.html",
"content": "\n\n \n \n \n\n \n \n \n \n \n \n \n\n {%- seo -%}\n \n {%- feed_meta -%}\n {%- if jekyll.environment == 'production' and site.google_analytics -%}\n {%- include google-analytics.html -%}\n {%- endif -%}\n\n"
},
{
"path": "_layouts/home.html",
"content": "---\n---\n\n\n\n {%- include head.html -%}\n\n \n\n {%- include header.html -%}\n\n
"
},
{
"path": "about.md",
"content": "---\nlayout: page\ntitle: About\n---\n\nI am **Sebastian Solnica**, a software engineer with more than 15 years of experience. My primary interests are debugging, profiling, and application security. I created this website to share tools and resources that can help you in your diagnostic endeavors. \n\nI also provide consulting services for troubleshooting .NET applications. If you would like to discuss consulting or contact me for any other reason, please use [the contact form on my blog](https://lowleveldesign.org/about/) or email me at contact@wtrace.net.\n\n
\nCredits: this site uses modified icons from the feather set.\n
"
},
{
"path": "articles.md",
"content": "---\nlayout: page\ntitle: Articles\nredirect_to: /guides\n---\n"
},
{
"path": "assets/main.scss",
"content": "---\n# Only the main Sass file needs front matter (the dashes are enough)\n---\n\n$brand-color: #CA4E07;\n$credits-color: #707070;\n\n@import \"minima\";\n\nbody {\n background-color: #f6f6ef;\n}\n\npre, code {\n background: transparent;\n}\n\n.highlighter-rouge .highlight {\n background: #f9f9f9;\n}\n\n.highlight .c {\n color: #6c6c62;\n}\n\n.post-title {\n @include relative-font-size(2.2);\n letter-spacing: -1px;\n line-height: 1;\n\n @include media-query($on-laptop) {\n @include relative-font-size(2.0);\n }\n}\n\n.post-content {\n table {\n table-layout: fixed;\n }\n\n table th {\n text-align: center;\n }\n\n table td {\n vertical-align: top;\n }\n\n h2, h3 {\n margin: 15px 0 15px 0;\n }\n}\n\n.site-title {\n @include relative-font-size(1.4);\n font-weight: 700;\n line-height: $base-line-height * $base-font-size * 2.25;\n letter-spacing: -1px;\n margin-bottom: 0;\n float: left;\n text-transform: uppercase;\n\n &, &:visited {\n color: $brand-color;\n }\n}\n\n.site-nav {\n .page-link {\n text-transform: uppercase;\n font-weight: 600;\n }\n}\n\n.feature-image {\n background-color: black;\n background-repeat: no-repeat;\n margin-bottom: 10px;\n padding-top: 50px;\n height: 300px;\n\n .wrapper {\n color: #ffffff;\n\n h1 {\n font-size: 4rem;\n font-weight: 900;\n margin-bottom: 0px\n }\n\n p {\n font-size: 1.2rem;\n }\n }\n}\n\np.credits {\n color: $credits-color;\n padding-top: 10px;\n margin-top: 10px;\n}\n"
},
{
"path": "assets/other/EtwMetadata.ps1.txt",
"content": "\r\n$ErrorActionPreference = \"Stop\"\r\n\r\n$MetadataFolder = \"$env:LOCALAPPDATA\\MyEtwMetadata\\ById\"\r\n$MetadataSearchByNameFolder = \"$env:LOCALAPPDATA\\MyEtwMetadata\\ByName\"\r\n\r\n\r\nif (-not (Test-Path $MetadataFolder)) {\r\n New-Item -ItemType Directory -Path $MetadataFolder | Out-Null\r\n}\r\n\r\nif (-not (Test-Path $MetadataSearchByNameFolder)) {\r\n New-Item -ItemType Directory -Path $MetadataSearchByNameFolder | Out-Null\r\n}\r\n\r\nfunction _SanitizeFileName {\r\n param ([Parameter(Mandatory = $true)]$FileName)\r\n\r\n [System.IO.Path]::GetInvalidFileNameChars() | ForEach-Object -Process {\r\n $FileName = $FileName.Replace($_, [char]'_')\r\n }\r\n $FileName\r\n}\r\n\r\nWrite-Output \"Initializing ETW providers metadata... \"\r\nwevtutil.exe ep | ForEach-Object -Process {\r\n $ProviderName = $_\r\n Write-Debug $ProviderName\r\n $xml = $(wevtutil.exe gp /f:xml \"$_\" 2>$null)\r\n if ($LASTEXITCODE -eq 0 -and $xml) {\r\n $metadata = [xml]$xml\r\n $metadata.Save($(Join-Path -Path $MetadataFolder -ChildPath \"$($metadata.provider.guid).xml\"));\r\n $metadata.provider.guid | Out-File $(\r\n Join-Path -Path $MetadataSearchByNameFolder -ChildPath \"$(_SanitizeFileName $ProviderName).txt\")\r\n }\r\n else {\r\n Write-Warning \"Invalid metadata for '$ProviderName'\"\r\n }\r\n}\r\n\r\nfunction _ResolveKeywords {\r\n param (\r\n [Parameter(Mandatory = $true)]$Metadata,\r\n [Parameter(Mandatory = $true)][ulong]$Keywords\r\n )\r\n\r\n if ($Metadata.provider.keywords) {\r\n $Metadata.provider.keywords.keyword | ForEach-Object -Process {\r\n $MaskValue = [ulong]::Parse($_.mask.TrimStart(@('0', 'x', 'X')), [System.Globalization.NumberStyles]::HexNumber)\r\n if ($Keywords -band $MaskValue) {\r\n [PSCustomObject]@{\r\n Name = $_.name\r\n Value = $MaskValue\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n# ** EXPORTS **\r\n\r\nfunction Get-EtwProvidersFromWprProfile {\r\n param (\r\n [Parameter(Mandatory = $true)][string]$WprProfilePath\r\n )\r\n\r\n if (-not (Test-Path $MetadataFolder)) {\r\n Write-Error \"No metadata found - please run Initialize-EtwProvidersMetadata first.\"\r\n }\r\n\r\n function ParseProvider([Parameter(ValueFromPipeline = $true, Mandatory = $true)]$ProviderData) {\r\n begin {}\r\n process {\r\n $MetadataPath = (Join-Path -Path $MetadataFolder -ChildPath \"$($ProviderData.Name).xml\")\r\n if (-not (Test-Path $MetadataPath)) {\r\n Write-Warning \"No metadata found for provider '$($ProviderData.Name)'\"\r\n return\r\n }\r\n\r\n Write-Debug \"Parsing provider '$($ProviderData.Name))'\"\r\n $Metadata = [xml](Get-Content $MetadataPath)\r\n\r\n [ulong]$Keywords = 0\r\n if ($ProviderData.Keywords) {\r\n $ProviderData.Keywords.Keyword.Value | ForEach-Object -Process {\r\n $Keywords = $Keywords -bor ([ulong]::Parse($_.TrimStart(@('0', 'x', 'X')), [System.Globalization.NumberStyles]::HexNumber)) }\r\n }\r\n else {\r\n $Keywords = [ulong]::MaxValue\r\n }\r\n\r\n [ulong]$CaptureOnSaveKeywords = 0\r\n if ($ProviderData.CaptureOnSaveKeywords) {\r\n $ProviderData.CaptureStateOnSave.Keyword.Value | ForEach-Object -Process {\r\n $CaptureOnSaveKeywords = $CaptureOnSaveKeywords -bor ([ulong]::Parse($_.TrimStart(@('0', 'x', 'X')), [System.Globalization.NumberStyles]::HexNumber)) }\r\n }\r\n\r\n [PSCustomObject]@{\r\n Id = $ProviderData.Name\r\n Name = $Metadata.provider.name\r\n Keywords = _ResolveKeywords $Metadata $Keywords\r\n CaptureOnSaveKeywords = _ResolveKeywords $Metadata $CaptureOnSaveKeywords\r\n }\r\n }\r\n end {}\r\n }\r\n \r\n $xml = [xml](Get-Content $WprProfilePath)\r\n\r\n $xml.WindowsPerformanceRecorder.Profiles.EventProvider | ParseProvider\r\n}\r\n\r\nfunction Get-EtwProviderMetadata {\r\n param([Parameter(ValueFromPipeline = $true, Mandatory = $true)]$ProviderName)\r\n\r\n $ProviderId = $ProviderName\r\n $Path = $(Join-Path -Path $MetadataSearchByNameFolder -ChildPath \"$(_SanitizeFileName $ProviderName).txt\")\r\n if (Test-Path $Path) {\r\n $ProviderId = Get-Content $Path\r\n }\r\n\r\n $MetadataPath = (Join-Path -Path $MetadataFolder -ChildPath \"$ProviderId.xml\")\r\n if (-not (Test-Path $MetadataPath)) {\r\n Write-Error \"No metadata found for provider '$($ProviderId)'\"\r\n }\r\n\r\n $Metadata = [xml](Get-Content $MetadataPath)\r\n\r\n [PSCustomObject]@{\r\n Id = $ProviderId\r\n Name = $Metadata.provider.name\r\n Keywords = _ResolveKeywords $Metadata $([ulong]::MaxValue)\r\n }\r\n}\r\n"
},
{
"path": "assets/other/WTComTrace.wprp",
"content": "\r\n\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n\r\n"
},
{
"path": "assets/other/winapi-user32.ps1.txt",
"content": "$ErrorActionPreference = \"Stop\"\r\n\r\nAdd-Type -TypeDefinition @\"\r\n using System;\r\n public enum GWL_EXSTYLE : int {\r\n WS_EX_DLGMODALFRAME = 0x00000001,\r\n WS_EX_NOPARENTNOTIFY = 0x00000004,\r\n WS_EX_TOPMOST = 0x00000008,\r\n WS_EX_ACCEPTFILES = 0x00000010,\r\n WS_EX_TRANSPARENT = 0x00000020,\r\n WS_EX_MDICHILD = 0x00000040,\r\n WS_EX_TOOLWINDOW = 0x00000080,\r\n WS_EX_WINDOWEDGE = 0x00000100,\r\n WS_EX_CLIENTEDGE = 0x00000200,\r\n WS_EX_CONTEXTHELP = 0x00000400,\r\n WS_EX_RIGHT = 0x00001000,\r\n WS_EX_LEFT = 0x00000000,\r\n WS_EX_RTLREADING = 0x00002000,\r\n WS_EX_LTRREADING = 0x00000000,\r\n WS_EX_LEFTSCROLLBAR = 0x00004000,\r\n WS_EX_RIGHTSCROLLBAR = 0x00000000,\r\n WS_EX_CONTROLPARENT = 0x00010000,\r\n WS_EX_STATICEDGE = 0x00020000,\r\n WS_EX_APPWINDOW = 0x00040000,\r\n WS_EX_LAYERED = 0x00080000,\r\n WS_EX_NOINHERITLAYOUT = 0x00100000,\r\n WS_EX_NOREDIRECTIONBITMAP = 0x00200000,\r\n WS_EX_LAYOUTRTL = 0x00400000,\r\n WS_EX_COMPOSITED = 0x02000000,\r\n WS_EX_NOACTIVATE = 0x08000000\r\n }\r\n\r\n public enum GWL_STYLE : int {\r\n WS_OVERLAPPED = 0x00000000,\r\n WS_POPUP = unchecked((int)0x80000000),\r\n WS_CHILD = 0x40000000,\r\n WS_MINIMIZE = 0x20000000,\r\n WS_VISIBLE = 0x10000000,\r\n WS_DISABLED = 0x08000000,\r\n WS_CLIPSIBLINGS = 0x04000000,\r\n WS_CLIPCHILDREN = 0x02000000,\r\n WS_MAXIMIZE = 0x01000000,\r\n WS_CAPTION = 0x00C00000,\r\n WS_BORDER = 0x00800000,\r\n WS_DLGFRAME = 0x00400000,\r\n WS_VSCROLL = 0x00200000,\r\n WS_HSCROLL = 0x00100000,\r\n WS_SYSMENU = 0x00080000,\r\n WS_THICKFRAME = 0x00040000,\r\n // WS_GROUP = 0x00020000,\r\n // WS_TABSTOP = 0x00010000,\r\n WS_MINIMIZEBOX = 0x00020000,\r\n WS_MAXIMIZEBOX = 0x00010000,\r\n // WS_TILED = WS_OVERLAPPED,\r\n // WS_ICONIC = WS_MINIMIZE,\r\n // WS_SIZEBOX = WS_THICKFRAME\r\n }\r\n\r\n public enum SWP : uint {\r\n SWP_NOSIZE = 0x0001,\r\n SWP_NOMOVE = 0x0002,\r\n SWP_NOZORDER = 0x0004,\r\n SWP_NOREDRAW = 0x0008,\r\n SWP_NOACTIVATE = 0x0010,\r\n SWP_FRAMECHANGED = 0x0020,\r\n SWP_SHOWWINDOW = 0x0040,\r\n SWP_HIDEWINDOW = 0x0080,\r\n SWP_NOCOPYBITS = 0x0100,\r\n SWP_NOOWNERZORDER = 0x0200,\r\n SWP_NOSENDCHANGING = 0x0400,\r\n // SWP_DRAWFRAME = SWP_FRAMECHANGED,\r\n // SWP_NOREPOSITION = SWP_NOOWNERZORDER,\r\n SWP_DEFERERASE = 0x2000,\r\n SWP_ASYNCWINDOWPOS = 0x4000\r\n }\r\n\"@\r\n"
},
{
"path": "assets/other/windbg-install.ps1.txt",
"content": "# script created by @Izybkr (https://github.com/microsoftfeedback/WinDbg-Feedback/issues/19#issuecomment-1513926394) with my minor updates to make it work with latest WinDbg releases):\n\nparam(\n $OutDir = \".\",\n [ValidateSet(\"x64\", \"x86\", \"arm64\")]\n $Arch = \"x64\"\n)\n\nif (!(Test-Path $OutDir)) {\n $null = mkdir $OutDir\n}\n\n$ErrorActionPreference = \"Stop\"\n\nif ($PSVersionTable.PSVersion.Major -le 5) {\n [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\n\n # This is a workaround to get better performance on older versions of PowerShell\n $ProgressPreference = 'SilentlyContinue'\n}\n\n# Download the appinstaller to find the current uri for the msixbundle\nInvoke-WebRequest https://aka.ms/windbg/download -OutFile $OutDir\\windbg.appinstaller\n\n# Download the msixbundle\n$msixBundleUri = ([xml](Get-Content $OutDir\\windbg.appinstaller)).AppInstaller.MainBundle.Uri\n\n# Download the msixbundle (but name as zip for older versions of Expand-Archive\nInvoke-WebRequest $msixBundleUri -OutFile $OutDir\\windbg.zip\n\n# Extract the 3 msix files (plus other files)\nExpand-Archive -DestinationPath $OutDir\\UnzippedBundle $OutDir\\windbg.zip\n\n# Expand the build you want - also renaming the msix to zip for Windows PowerShell\n$fileName = switch ($Arch) {\n \"x64\" { \"windbg_win-x64\" }\n \"x86\" { \"windbg_win-x86\" }\n \"arm64\" { \"windbg_win-arm64\" }\n}\n\n# Rename msix (for older versions of Expand-Archive) and extract the debugger\nRename-Item \"$OutDir\\UnzippedBundle\\$fileName.msix\" \"$fileName.zip\"\nExpand-Archive -DestinationPath \"$OutDir\\windbg\" \"$OutDir\\UnzippedBundle\\$fileName.zip\"\n\nRemove-Item -Recurse -Force \"$OutDir\\UnzippedBundle\"\nRemove-Item -Force \"$OutDir\\windbg.appinstaller\"\nRemove-Item -Force \"$OutDir\\windbg.zip\"\n\n# Now you can run:\n& $OutDir\\windbg\\DbgX.Shell.exe\n"
},
{
"path": "browserconfig.xml",
"content": "\n\n \n \n \n #da532c\n \n \n\n"
},
{
"path": "guides/com-troubleshooting.md",
"content": "---\r\nlayout: page\r\ntitle: COM troubleshooting\r\ndate: 2023-04-07 08:00:00 +0200\r\nredirect_from:\r\n - /articles/com-troubleshooting/\r\n - /articles/com-troubleshooting\r\n---\r\n\r\n{% raw %}\r\n\r\n**Table of contents:**\r\n\r\n\r\n\r\n- [Quick introduction to COM](#quick-introduction-to-com)\r\n - [COM metadata](#com-metadata)\r\n- [Troubleshooting COM in WinDbg](#troubleshooting-com-in-windbg)\r\n - [Monitoring COM objects in a process](#monitoring-com-objects-in-a-process)\r\n - [Tracing COM methods](#tracing-com-methods)\r\n - [Stopping the COM monitor](#stopping-the-com-monitor)\r\n- [Observing COM interactions outside WinDbg](#observing-com-interactions-outside-windbg)\r\n - [Windows Performance Recorder \\(wpr.exe\\)](#windows-performance-recorder-wprexe)\r\n - [Process Monitor](#process-monitor)\r\n - [wtrace](#wtrace)\r\n- [Troubleshooting .NET COM interop](#troubleshooting-net-com-interop)\r\n- [Links](#links)\r\n\r\n\r\n\r\nQuick introduction to COM\r\n-------------------------\r\n\r\nIn COM, everything is about interfaces. In old times, when various compiler vendors were fighting over whose \"standard\" was better, the only reliable way to call C++ class methods contained in third-party libraries was to use virtual tables. As its name suggests virtual table is a table, to be precise, a table of addresses (pointers). The \"virtual\" adjective relates to the fact that our table's addresses point to virtual methods. If you're familiar with object programming (you plan to debug COM, so you should!), you probably thought of inheritance and abstract classes. And that's correct! The abstract class is how we implement interfaces in C++ (to be more precise [an abstract class with pure virtual methods](https://en.cppreference.com/w/cpp/language/abstract_class)). Now, COM is all about passing pointers to those various virtual tables which happen to have GUID identifiers. The most important interface (parent of all interfaces) is `IUnknown`. Every COM interface must inherit from this interface. Why? For two reasons: to manage the object lifetime and to access all the other interfaces that our object may implement (or, in other words, to find all virtual tables our object is aware of). As this interface is so important, let's have a quick look at its definition:\r\n\r\n```cpp\r\nstruct __declspec(uuid(\"00000000-0000-0000-C000-000000000046\"))) IUnknown\r\n{\r\npublic:\r\n virtual HRESULT STDMETHODCALLTYPE QueryInterface(REFIID riid, void **ppvObject) = 0;\r\n virtual ULONG STDMETHODCALLTYPE AddRef( void) = 0;\r\n virtual ULONG STDMETHODCALLTYPE Release( void) = 0;\r\n};\r\n```\r\n\r\nGuess which methods are responsible for lifetime management and which are for interface querying. OK, so we know the declaration, but to debug COM, we need to understand how COM objects are laid out in the memory. Let's have a look at a sample Probe class (the snippet comes from [my Protoss COM example repository](https://github.com/lowleveldesign/protoss-com-example)):\r\n\r\n```cpp\r\nstruct __declspec(uuid(\"59644217-3e52-4202-ba49-f473590cc61a\")) IGameObject : public IUnknown\r\n{\r\npublic:\r\n virtual HRESULT STDMETHODCALLTYPE get_Name(BSTR* name) = 0;\r\n virtual HRESULT STDMETHODCALLTYPE get_Minerals(LONG* minerals) = 0;\r\n virtual HRESULT STDMETHODCALLTYPE get_BuildTime(LONG* buildtime) = 0;\r\n};\r\n\r\nstruct __declspec(uuid(\"246A22D5-CF02-44B2-BF09-AAB95A34E0CF\")) IProbe : public IUnknown\r\n{\r\npublic:\r\n virtual HRESULT STDMETHODCALLTYPE ConstructBuilding(BSTR building_name, IUnknown * *ppUnk) = 0;\r\n};\r\n\r\nclass __declspec(uuid(\"EFF8970E-C50F-45E0-9284-291CE5A6F771\")) Probe final : public IProbe, public IGameObject\r\n{ \r\n ULONG ref_count;\r\n /* ... implementation .... */\r\n}\r\n```\r\n\r\nIf we instantiate (more on that later) the Probe class, its layout in the memory will look as follows:\r\n\r\n```\r\n0:000> dps 0xfb2f58 L4\r\n00fb2f58 72367744 protoss!Probe::`vftable'\r\n00fb2f5c 7236775c protoss!Probe::`vftable'\r\n00fb2f60 00000001\r\n00fb2f64 fdfdfdfd\r\n\r\n0:000> dps 72367744 L4 * IProbe interface\r\n72367744 72341bb3 protoss!ILT+2990(?QueryInterfaceProbeUAGJABU_GUIDPAPAXZ)\r\n72367748 72341ba9 protoss!ILT+2980(?AddRefProbeUAGKXZ)\r\n7236774c 723411ae protoss!ILT+425(?ReleaseProbeUAGKXZ)\r\n72367750 723414d3 protoss!ILT+1230(?ConstructBuildingProbeUAGJPA_WPAPAUIUnknownZ)\r\n\r\n0:000> dps 7236775c L6 * IGameUnit interface\r\n7236775c 72341e3d protoss!ILT+3640(?QueryInterfaceProbeW3AGJABU_GUIDPAPAXZ)\r\n72367760 723416fe protoss!ILT+1785(?AddRefProbeW3AGKXZ)\r\n72367764 72341096 protoss!ILT+145(?ReleaseProbeW3AGKXZ)\r\n72367768 723415f0 protoss!ILT+1515(?get_NameProbeUAGJPAPA_WZ)\r\n7236776c 723419d8 protoss!ILT+2515(?get_MineralsProbeUAGJPAJZ)\r\n72367770 72341e1a protoss!ILT+3605(?get_BuildTimeProbeUAGJPAJZ)\r\n```\r\n\r\nNotice the pointers at the beginning of the object memory. As you can see in the snippet, those pointers reference arrays of function pointers or, as you remember, virtual tables. Each virtual table represents a COM interface, like `IProbe` or `IGameObject` in our case. \r\n\r\nLet's now briefly discuss the creation of COM objects. We usually start by calling one of the well-known Co-functions to create a COM object. Often, it's either `CoCreateInstance` or `CoGetClassObject`. Those functions perform actions defined in the COM registration (either in a manifest file or in the registry). In the most common (and most straightforward scenario), they load a dll and run the exported `DllGetClassObject` function:\r\n\r\n```cpp\r\nHRESULT DllGetClassObject([in] REFCLSID rclsid, [in] REFIID riid, [out] LPVOID *ppv);\r\n```\r\n\r\nOn a successful return, the `*ppv` value should point to an address of the virtual table representing a COM interface with the IID equal to `riid`. And this address will be a part of memory belonging to a COM object of the type identified by the `rclsid`.\r\n\r\nPeople often say that COM is complicated. As you just saw, COM fundamentals are clear and straightforward. However, its various implementations might cause a headache. For example, there are myriads of methods in OLE and ActiveX interfaces created to make it possible to drag/drop things between windows, use the clipboard, or embed one control in another. Remember, though, that all those crazy interfaces still need to implement `IUnknown`. And that's the advantage we can take as troubleshooters. It's easy to track new instance creations, interface queries, and interface method calls (often even with their names). That may give us enough insights to debug a problem successfully.\r\n\r\n### COM metadata\r\n\r\nCOM metadata, saved in type libraries, provides definitions of COM classes and COM interfaces. Thanks to it, we can decode method names and their argument values without debugging symbols. The tool we usually use to view the type libraries installed in the system is [OleView](https://learn.microsoft.com/en-us/windows/win32/com/ole-com-object-viewer), part of the Windows SDK. OleView has some open-source alternatives, such as [.NET OLE/COM viewer](https://github.com/tyranid/oleviewdotnet) or [OleWoo](https://github.com/leibnitz27/olewoo). [Comon](https://github.com/lowleveldesign/comon) also provides the **!cometa** command, which allows you to use COM metadata without leaving WinDbg. Before the debugging session, it is worth taking a moment to build the cometa database with the **!cometa index** command. The database resides in a temporary folder. It's an SQLite database, so you may copy it between machines. Other comon commands will use the cometa database to resolve class and interface IDs to meaningful names.\r\n\r\nYou may also do some basic queries against the database with the **!cometa showc** and **!cometa showi** commands, for example:\r\n\r\n```\r\n0:000> !cometa showi {59644217-3E52-4202-BA49-F473590CC61A}\r\nFound: {59644217-3E52-4202-BA49-F473590CC61A} (IGameObject)\r\n\r\nMethods:\r\n- [0] HRESULT QueryInterface(void* this, GUID* riid, void** ppvObject)\r\n- [1] ULONG AddRef(void* this)\r\n- [2] ULONG Release(void* this)\r\n- [3] HRESULT get_Name(void* this, BSTR* Name)\r\n- [4] HRESULT get_Minerals(void* this, long* Minerals)\r\n- [5] HRESULT get_BuildTime(void* this, long* BuildTime)\r\n\r\nRegistered VTables for IID:\r\n- Module: protoss, CLSID: {EFF8970E-C50F-45E0-9284-291CE5A6F771} (Probe), VTable offset: 0x3775c\r\n- Module: protoss, CLSID: {F5353C58-CFD9-4204-8D92-D274C7578B53} (Nexus), VTable offset: 0x37710\r\n```\r\n\r\nTroubleshooting COM in WinDbg\r\n-----------------------------\r\n\r\n### Monitoring COM objects in a process\r\n\r\nThere are various ways in which COM objects can be created. When a given function creates a COM object, you will see a `void **` as one of its arguments. After a successful call, this pointer will point to a new COM object. Let's check how we can trace such a creation. We will use breakpoints to monitor calls to the `CoCreateInstance(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv)` function. We are interested in the class (`rclsid`) and interface (`riid`) values, and the address of the created COM object (`*ppv`). When debugging a 64-bit process, our breakpoint command might look as follows:\r\n\r\n```\r\nbp combase!CoCreateInstance \".echo ==== combase!CoCreateInstance ====; dps @rsp L8; dx *(combase!GUID*)@rcx; dx *(combase!GUID*)@r9; .printf /D \\\"==> obj addr: %p\\\", poi(@rsp+28);.echo; bp /1 @$ra; g\"\r\n```\r\n\r\nThe `bp /1 @$ra` part creates a one-time breakpoint at a function return address. This second breakpoint will stop the process execution and allow us to examine the results of the function call. At this time, the `rax` register will show the return code (should be `0` for a successful call), and the created COM object (and also the interface virtual) will be at the previously printed object address. For the sake of completeness, let me show you the 32-bit version of this breakpoint:\r\n\r\n```\r\nbp combase!CoCreateInstance \".echo ==== combase!CoCreateInstance ====; dps @esp L8; dx **(combase!GUID **)(@esp + 4); dx **(combase!GUID **)(@esp + 0x10); .printf /D \\\"==> obj addr: %p\\\", poi(@esp+14);.echo; bp /1 @$ra; g\"\r\n```\r\n\r\nCreating such breakpoints for various COM functions might be a mundane task, especially when we consider that our only point in doing so is to save the addresses of the virtual tables. **Fortunately, [comon](https://github.com/lowleveldesign/comon) might be of help here**. In-process COM creation usually ends in a call to the `DllGetClassObject` function exported by the DLL implementing a given COM object. After **attaching to a process** (**!comon attach**), comon creates breakpoints on all such functions and checks the results of their executions. It also breaks when a process calls `CoRegisterClassObject`, a function called by out-of-process COM servers to register the COM objects they host.\r\n\r\nAfter you attach comon to a debugged process, you should see various log messages showing COM object creations, for example:\r\n\r\n```\r\n0:000> !comon attach\r\nCOM monitor enabled for the current process.\r\n0:000> g\r\n...\r\n[comon] 0:000 [protoss!DllGetClassObject] CLSID: {EFF8970E-C50F-45E0-9284-291CE5A6F771} (Protoss Probe), IID: {00000001-0000-0000-C000-000000000046} (IClassFactory) -> SUCCESS (0x0)\r\n[comon] 0:000 [IClassFactory::CreateInstance] CLSID: {EFF8970E-C50F-45E0-9284-291CE5A6F771} (Protoss Probe), IID: {246A22D5-CF02-44B2-BF09-AAB95A34E0CF} (IProbe) -> SUCCESS (0x0)\r\n[comon] 0:000 [IUnknown::QueryInterface] CLSID: {EFF8970E-C50F-45E0-9284-291CE5A6F771} (Protoss Probe), IID: {59644217-3E52-4202-BA49-F473590CC61A} (IGameObject) -> SUCCESS (0x0)\r\n[comon] 0:000 [protoss!DllGetClassObject] CLSID: {F5353C58-CFD9-4204-8D92-D274C7578B53} (Protoss Nexus), IID: {00000001-0000-0000-C000-000000000046} (IClassFactory) -> SUCCESS (0x0)\r\n[comon] 0:000 [IClassFactory::CreateInstance] CLSID: {F5353C58-CFD9-4204-8D92-D274C7578B53} (Protoss Nexus), IID: {C5F45CBC-4439-418C-A9F9-05AC67525E43} (INexus) -> SUCCESS (0x0)\r\n[comon] 0:000 [IUnknown::QueryInterface] CLSID: {F5353C58-CFD9-4204-8D92-D274C7578B53} (Protoss Nexus), IID: {59644217-3E52-4202-BA49-F473590CC61A} (IGameObject) -> SUCCESS (0x0)\r\n...\r\n```\r\n\r\nThe `QueryInterface` calls will show up only for the first time; it won't be reported if we have the virtual table for a given interface already registered in the cometa database. To check the COM objects registered in a given session, run the **!comon status** command, for example:\r\n\r\n```\r\n0:000> !comon status\r\nCOM monitor is RUNNING\r\n\r\nCOM types recorded for the current process:\r\n\r\nCLSID: {F5353C58-CFD9-4204-8D92-D274C7578B53} (Nexus)\r\n IID: {C5F45CBC-4439-418C-A9F9-05AC67525E43} (INexus), address: 0x723676f8\r\n IID: {00000001-0000-0000-C000-000000000046} (N/A), address: 0x7236694c\r\n IID: {59644217-3E52-4202-BA49-F473590CC61A} (IGameObject), address: 0x72367710\r\n\r\nCLSID: {EFF8970E-C50F-45E0-9284-291CE5A6F771} (Probe)\r\n IID: {00000001-0000-0000-C000-000000000046} (N/A), address: 0x72366968\r\n IID: {59644217-3E52-4202-BA49-F473590CC61A} (IGameObject), address: 0x7236775c\r\n IID: {246A22D5-CF02-44B2-BF09-AAB95A34E0CF} (IProbe), address: 0x72367744\r\n```\r\n\r\nThe `cometa` queries show now also return information about the registered virtual tables:\r\n\r\n```\r\n0:000> !cometa showc {F5353C58-CFD9-4204-8D92-D274C7578B53}\r\nFound: {F5353C58-CFD9-4204-8D92-D274C7578B53} (Nexus)\r\n\r\nRegistered VTables for CLSID:\r\n- module: protoss, IID: {00000001-0000-0000-C000-000000000046} (N/A), VTable offset: 0x3694c\r\n- module: protoss, IID: {59644217-3E52-4202-BA49-F473590CC61A} (IGameObject), VTable offset: 0x37710\r\n- module: protoss, IID: {C5F45CBC-4439-418C-A9F9-05AC67525E43} (INexus), VTable offset: 0x376f8\r\n```\r\n\r\n### Tracing COM methods\r\n\r\nWhen we know the interface virtual table address, nothing can stop us from creating breakpoints on interface methods :) I will first show you how to do that manually and later present how [comon](https://github.com/lowleveldesign/comon) may help.\r\n\r\nThe first step is to find the offset of our method in the interface definition. Let's stick to the Protoss COM example and let's create a breakpoint on the `get_Minerals` method/property from the `IGameObject` interface:\r\n\r\n```\r\n0:000> !cometa showi {59644217-3E52-4202-BA49-F473590CC61A}\r\nFound: {59644217-3E52-4202-BA49-F473590CC61A} (IGameObject)\r\n\r\nMethods:\r\n- [0] HRESULT QueryInterface(void* this, GUID* riid, void** ppvObject)\r\n- [1] ULONG AddRef(void* this)\r\n- [2] ULONG Release(void* this)\r\n- [3] HRESULT get_Name(void* this, BSTR* Name)\r\n- [4] HRESULT get_Minerals(void* this, long* Minerals)\r\n- [5] HRESULT get_BuildTime(void* this, long* BuildTime)\r\n\r\nRegistered VTables for IID:\r\n- Module: protoss, CLSID: {EFF8970E-C50F-45E0-9284-291CE5A6F771} (Probe), VTable offset: 0x3775c\r\n- Module: protoss, CLSID: {F5353C58-CFD9-4204-8D92-D274C7578B53} (Nexus), VTable offset: 0x37710\r\n```\r\n\r\nWe can see that its ordinal number is four, and two virtual tables are registered for our interface (two classes implementing it). Let's focus on the `Probe` class. To set a breakpoint method, we can use the `bp` command:\r\n\r\n```\r\nbp poi(protoss + 0x3775c + 4 * $ptrsize)\r\n```\r\n\r\nSimilarly, if we would like to set breakpoints on all the `IGameObject` methods, we might use a loop:\r\n\r\n```\r\n.for (r $t0 = 0; @$t0 < 6; r $t0 = @$t0 + 1) { bp poi(protoss + 0x3775c + @$t0 * @$ptrsize) }\r\n```\r\n\r\nInstead of setting breakpoints manually, you may use the **!cobp** command from the comon extension. It also creates a breakpoint (you will see it if you run the bl command), but on hit, comon will decode the method parameters (for the supported types). It will also automatically create a one-time breakpoint on the method return address, displaying the return code and method out parameter values. The optional parameter lets you decide if you'd like to stop when cobreakpoint is hit. An example output might look as follows:\r\n\r\n```\r\n0:000> !cobp --always {EFF8970E-C50F-45E0-9284-291CE5A6F771} {59644217-3E52-4202-BA49-F473590CC61A} get_Name\r\n[comon] Breakpoint 18 (address 0x723415f0) created / updated\r\n0:000> g\r\n[comon breakpoint] IGameObject::get_Name (iid: {59644217-3E52-4202-BA49-F473590CC61A}, clsid: {EFF8970E-C50F-45E0-9284-291CE5A6F771})\r\n\r\nParameters:\r\n- this: 0xfb2f5c (void*)\r\n- Name: 0x81fc1c (BSTR*) [out]\r\n\r\n0:000> dps 0081fc1c L1\r\n0081fc1c 00000000\r\n0:000> g\r\n[comon breakpoint] IGameObject::get_Name (iid: {59644217-3E52-4202-BA49-F473590CC61A}, clsid: {EFF8970E-C50F-45E0-9284-291CE5A6F771}) return\r\nResult: 0x0 (HRESULT)\r\n\r\nOut parameters:\r\n- Name: 0x81fc1c (BSTR*)\r\n\r\n0:000> du 00f9c6ac\r\n00f9c6ac \"Probe\"\r\n```\r\n\r\nIf comon can't decode a given parameter, you may use the **dx** command with combase.dll symbols (one of the rare Microsoft DLLs that comes with private symbols), for example: `dx -r2 (combase!DISPPARAMS *)(*(void **)(@esp+0x18))` or `dx -r1 ((combase!tagVARIANT[3])0x31ec1f0)`.\r\n\r\n### Stopping the COM monitor\r\n\r\nRun the **!comon detach** command to stop the COM monitor. This command will remove all the comon breakpoints and debugging session data, but you can still examine COM metadata with the cometa command.\r\n\r\nObserving COM interactions outside WinDbg\r\n-----------------------------------------\r\n\r\nSometimes we only need basic information about COM interactions, such as which objects are used and how they are launched. While WinDbg can be overkill for such scenarios, there are several simpler tools we can use to collect this additional information.\r\n\r\n### Windows Performance Recorder (wpr.exe)\r\n\r\nLet's begin with wpr.exe, a powerful tool that's likely already installed on your system. WPR requires profile files to configure tracing sessions. For basic COM event collection, you can use [the ComTrace.wprp profile](https://raw.githubusercontent.com/microsoft/winget-cli/refs/heads/master/tools/COMTrace/ComTrace.wprp) from [the winget-cli repository](https://github.com/microsoft/winget-cli). I've also created an enhanced profile, adding providers found in the [TSS scripts](https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-tss/introduction-to-troubleshootingscript-toolset-tss), which you can download **[here](/assets/other/WTComTrace.wprp)**. You can use those profiles either solely or in combination with other profiles, as shown in the examples below.\r\n\r\n```shell\r\n# Collect only COM events\r\nwpr.exe -start .\\WTComTrace.wprp -filemode\r\n# Run COM apps ...\r\n# Stop the trace when done\r\nwpr -stop C:\\temp\\comtrace.etl\r\n\r\n# Collect COM events with CPU sampling\r\nwpr.exe -start CPU -start .\\WTComTrace.wprp -filemode\r\n# Run COM apps ...\r\n# Stop the trace when done\r\nwpr -stop C:\\temp\\comtrace.etl\r\n```\r\n\r\nSome providers are the [legacy WPP providers](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing), which require TMF files to read the collected events. Fortunately, the PDB file for compbase.dll contains the required TMF data and we can decode those events. To view the collected data, open the ETL file in **[Windows Performance Analyzer (WPA)](https://learn.microsoft.com/en-us/windows-hardware/test/wpt/windows-performance-analyzer)**. Remember to load symbols first (check [the Windows configuration guide](guides/configuring-windows-for-effective-troubleshooting/#configuring-debug-symbols) how to configure symbols globally in the system), then navigate to the **Generic Events** category and open the **WPP Trace** view.\r\n\r\n### Process Monitor\r\n\r\nIn **[Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon)**, we can include Registry and Process events and events where Path contains `\\CLSID\\` or `\\AppID` strings or ends with `.dll`, as in the image below:\r\n\r\n\r\n\r\nThe collected events should tell us which COM objects the application initiated and in which way. For example, if procmon shows a DLL path read from the `InprocServer32` and then we see this dll loaded, we may assume that the application created a given COM object (the event call stack may be an additional proof). If the COM server runs in a standalone process or a remote machine, other keys will be queried. We may then check the Process Tree or Network events for more details. [COM registry keys official documentation](https://learn.microsoft.com/en-us/windows/win32/com/com-registry-keys) is thorough, so please consult it to learn more.\r\n\r\n### wtrace\r\n\r\nIn **[wtrace](https://github.com/lowleveldesign/wtrace)**, we need to pick the proper handlers and define filters. An example command line might look as follows:\r\n\r\n```shell\r\nwtrace --handlers registry,process,rpc -f 'path ~ \\CLSID\\' -f 'path ~ \\AppID\\' -f 'path ~ rpc' -f 'pname = ProtossComClient'\r\n```\r\n\r\nAs you can see, wtrace may additionally show information about RPC (Remote Procedure Call) events.\r\n\r\nTroubleshooting .NET COM interop\r\n--------------------------------\r\n\r\nA native COM object must be wrapped into a Runtime Callable Wrapper (RCW) to be accessible to managed code. RCW binds a managed object (for example, `System.__Com`) and a native COM class instance. COM Callable Wrappers (CCW) work in the opposite direction - thanks to them, we may expose .NET objects to the COM world. Interestingly, the object interop usage is saved in the object's SyncBlock. Therefore, it should not come as a surprise that the **!syncblk** command from [the SOS extension](https://learn.microsoft.com/en-us/dotnet/core/diagnostics/sos-debugging-extension) presents information about RCWs and CCWs:\r\n\r\n```\r\n0:011> !syncblk\r\nIndex SyncBlock MonitorHeld Recursion Owning Thread Info SyncBlock Owner\r\n-----------------------------\r\nTotal 5\r\nCCW 1\r\nRCW 0\r\nComClassFactory 0\r\nFree 3\r\n```\r\n\r\nWhen we add the **-all** parameter, **!syncblk** will list information about the created SyncBlocks with their corresponding objects, for example:\r\n\r\n```\r\n0:007> !syncblk -all\r\nIndex SyncBlock MonitorHeld Recursion Owning Thread Info SyncBlock Owner\r\n 1 07FF8F54 0 0 00000000 none 030deb48 System.__ComObject\r\n 2 07FF8F20 0 0 00000000 none 030deb3c EventTesting\r\n 3 00000000 0 0 00000000 none 0 Free\r\n 4 00000000 0 0 00000000 none 0 Free\r\n 5 00000000 0 0 00000000 none 0 Free\r\n-----------------------------\r\nTotal 5\r\nCCW 1\r\nRCW 0\r\nComClassFactory 0\r\nFree 3\r\n```\r\n\r\nNow, we can dump information about managed objects using the **!dumpobj** command, for example:\r\n\r\n```\r\n0:006> !dumpobj 030deb3c\r\nName: EventTesting\r\nMethodTable: 08301668\r\nEEClass: 082f7110\r\nCCW: 0833ffe0\r\nTracked Type: false\r\nSize: 12(0xc) bytes\r\nFile: c:\\repos\\testing-com-events\\bin\\NETServer.dll\r\nFields:\r\n MT Field Offset Type VT Attr Value Name\r\n0830db50 4000003 4 ...ng+OnEventHandler 0 instance 00000000 onEvent```\r\n```\r\n\r\nThe good news is that the **!dumpobj** command also checks if a given object has a SyncBlock assigned and dumps information from it. In this case, it's the address of CCW. We may get more details about it by using the **!dumpccw** command:\r\n\r\n```\r\n0:011> !dumpccw 08060000\r\nManaged object: 02e6cf88\r\nOuter IUnknown: 00000000\r\nRef count: 0\r\nFlags: \r\nRefCounted Handle: 00D714F8 (WEAK)\r\nCOM interface pointers:\r\n IP MT Type\r\n08060010 080315b0 Server.Contract.IEventTesting\r\n```\r\n\r\nNotice here that there is only one interface implemented by the managed object and the CCW is no longer in use by the native code (Ref count equals 0). Below is an example of a CCW representing a Windows Forms ActiveX control which is still alive and implements more interfaces:\r\n\r\n```\r\n0:014> !dumpccw 0a23fde0\r\nManaged object: 04ee6984\r\nOuter IUnknown: 00000000\r\nRef count: 7\r\nFlags: \r\nRefCounted Handle: 04C716D8 (STRONG)\r\nCOM interface pointers:\r\n IP MT Type\r\n0A23FDF8 09fbbb04 Interop+Ole32+IOleControl\r\n0A23FDC8 09fbbc4c Interop+Ole32+IOleObject\r\n0A23FDCC 09fbbd34 Interop+Ole32+IOleInPlaceObject\r\n0A23FDD0 09fbbde4 Interop+Ole32+IOleInPlaceActiveObject\r\n0A23FDA8 09fbbfa0 Interop+Ole32+IViewObject2\r\n0A23FDB0 09fbc09c Interop+Ole32+IPersistStreamInit\r\n0A23FD4C 09f6485c BullsEyeControlLib.IBullsEye\r\n```\r\n\r\nIf you would like to dump information about all objects associated with SyncBlocks, you may use the following WinDbg script:\r\n\r\n```\r\n.foreach /pS 7 /ps 7 (addr { !syncblk -all }) { !do addr }\r\n```\r\n\r\nAnd to extract only the RCW or CCW addresses, we could use the **!grep** command from the [awesome Andrew Richard's PDE extension](https://onedrive.live.com/?authkey=%21AJeSzeiu8SQ7T4w&id=DAE128BD454CF957%217152&cid=DAE128BD454CF957):\r\n\r\n```\r\n0:014> .load PDE.dll\r\n0:014> !grep RCW: .foreach /pS 7 /ps 7 (addr { !syncblk -all }) { !do addr }\r\nRCW: 08086d30\r\n0:014> !grep CCW: .foreach /pS 7 /ps 7 (addr { !syncblk -all }) { !do addr }\r\nCCW: 08060000\r\n```\r\n\r\nTo keep COM objects alive in the managed memory, .NET Runtime creates handles for them. Those are either strong or ref-counted handles and we may list them with the **!gchandles** command, for example:\r\n\r\n```\r\n0:011> !gchandles -type refcounted\r\n Handle Type Object Size Data Type\r\n00D714F8 RefCounted 02e6cf88 12 0 EventTesting\r\n\r\nStatistics:\r\n MT Count TotalSize Class Name\r\n08031668 1 12 EventTesting\r\nTotal 1 objects\r\n\r\n0:014> !gchandles -type strong\r\n Handle Type Object Size Data Type\r\n04C711B4 Strong 030deb48 12 System.__ComObject\r\n...\r\n\r\nStatistics:\r\n MT Count TotalSize Class Name\r\n04ebbf00 1 12 System.__ComObject\r\n...\r\nTotal 19 objects\r\n```\r\n\r\nOf course, in those lists we will find the objects we already saw in the **!syncblk** output, so it's just another way to find them. It may be useful when tracking, for example, GC leaks.\r\n\r\nFinally, to find who is keeping our managed object alive, we could use the **!gcroot** command. And it's quite easy to find the GC roots for a particular type with the following script:\r\n\r\n```\r\n.foreach (addr { !DumpHeap -short -type System.__ComObject }) { !gcroot addr }\r\n```\r\n\r\nLinks\r\n-----\r\n\r\n- [\"Essential COM\"](https://archive.org/details/essentialcom00boxd) by Don Box\r\n- [\"Inside OLE\"](https://github.com/kraigb/InsideOLE) by Kraig Brockschmidt (Kraig published the whole book with source code on GitHub!)\r\n- [\"Inside COM+ Base Services\"](https://thrysoee.dk/InsideCOM+/) by Guy Eddon and Henry Eddon\r\n- [\"COM and .NET interoperability\"](https://link.springer.com/book/10.1007/978-1-4302-0824-2) and [source code](https://github.com/Apress/com-.net-interoperability) by Andrew Troelsen\r\n- [\".NET and COM: The Complete Interoperability Guide\"](https://books.google.pl/books/about/NET_and_COM.html?id=x2OIPSyFLBcC) by Adam Nathan\r\n- [COM+ revisited](https://lowleveldesign.wordpress.com/2022/01/17/com-revisited/) by me :)\r\n- [Calling Local Windows RPC Servers from .NET](https://googleprojectzero.blogspot.com/2019/12/calling-local-windows-rpc-servers-from.html) by James Forshaw\r\n\r\n{% endraw %}"
},
{
"path": "guides/configuring-linux-for-effective-troubleshooting.md",
"content": "---\r\nlayout: page\r\ntitle: Configuring Linux for effective troubleshooting\r\ndate: 2025-12-26 08:00:00 +0200\r\n---\r\n\r\n**Table of contents:**\r\n\r\n\r\n\r\n- [Configuring debug symbols](#configuring-debug-symbols)\r\n\r\n\r\n\r\nConfiguring debug symbols\r\n-------------------------\r\n\r\nThese days many debugging tools can fetch debug symbols from debuginfod servers. The [official project page](https://sourceware.org/elfutils/Debuginfod.html) lists the URLs you should use for each supported distribution. For example, in my Arch Linux, the `DEBUGINFOD_URLS` environment variable is set to `https://debuginfod.archlinux.org` by the `/etc/profile.d/debuginfod.sh` script (a part of the libelf package).\r\n\r\nIf you want this variable to be preserved when running commands with sudo, you can add a rule such as the following to a file in `/etc/sudoers.d/` (e.g., `/etc/sudoers.d/debuginfod`):\r\n\r\n```\r\nDefaults env_keep += \"DEBUGINFOD_URLS\"\r\n```\r\n"
},
{
"path": "guides/configuring-windows-for-effective-troubleshooting.md",
"content": "---\r\nlayout: page\r\ntitle: Configuring Windows for effective troubleshooting\r\ndate: 2023-10-11 08:00:00 +0200\r\n---\r\n\r\n**Table of contents:**\r\n\r\n\r\n\r\n- [Configuring debug symbols](#configuring-debug-symbols)\r\n- [Replacing Task Manager with System Informer](#replacing-task-manager-with-system-informer)\r\n- [Installing and configuring Sysinternals Suite](#installing-and-configuring-sysinternals-suite)\r\n- [Configuring post-mortem debugging](#configuring-post-mortem-debugging)\r\n\r\n\r\n\r\n## Configuring debug symbols\r\n\r\nStaring at raw hex numbers is not very helpful for troubleshooting. Therefore, it's essential to take the time to properly configure debug symbols on our system. One effective method is to set the **\\_NT\\_SYMBOL\\_PATH** environment variable. Most troubleshooting tools read its value and utilize the specified symbol stores. I usually configure it to point only to the official Microsoft symbol server, resulting in the following value for the \\_NT\\_SYMBOL\\_PATH variable on my system: `SRV*C:\\symbols\\dbg*https://msdl.microsoft.com/download/symbols`. Here, `C:\\symbols` serves as a cache folder for storing downloaded symbols. I also use `C:\\symbols\\dbg` if I need to index PDB files for my applications. For further information about the \\_NT\\_SYMBOL\\_PATH variable, refer to [the official documentation](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/symbol-path).\r\n\r\nThe symbol path variable is one essential component required for successful symbol resolution. Another critical aspect is the version of **dbghelp.dll** that can work with symbol servers. Unfortunately, the version preinstalled with Windows lacks this feature. To overcome this issue, you can install the **Debugging Tools for Windows** from the [Windows SDK](https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/). Make sure to install both the x86 and x64 versions to enable debugging of both 32- and 64-bit applications. Once installed, certain tools (e.g., Symbol Informer) will automatically select the appropriate dbghelp.dll version, while others will require some configuration, as we'll explore in later sections.\r\n\r\n## Replacing Task Manager with System Informer\r\n\r\nMy long time favorite tool to observe system and processes running on it, is [System Informer](https://www.systeminformer.com/), formerly known as Process Hacker. It has so many great features that deserves a guide on its own. The process tree, which shows the process creation and termination events, is much more readable than the flat process list in Task Manager or Resource Monitor. Moreover, System Informer lets you manage services and drivers, and view live network connections. Therefore, I highly recommend to open the Options dialog and replace Task Manager with it. System Informer does not have an option to set the dbghelp.dll path in its settings, but it will detect it if you have Debugging Tools for Windows installed. So please install them to have Windows stacks correctly resolved.\r\n\r\nIf you have reasons not to use System Informer, you can try [Process Explorer](https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer). It does not have as many functionalities as System Informer, but it is still a powerful system monitor.\r\n\r\n## Installing and configuring Sysinternals Suite\r\n\r\n[Sysinternals tools](https://learn.microsoft.com/en-us/sysinternals/) help me diagnose and fix various issues on Windows systems. Most often I use [Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) to capture and analyze system events, and sometimes that's the only tool I need to solve the problem! Other Sysinternals tools that I frequently use are [DebugView](https://learn.microsoft.com/en-us/sysinternals/downloads/debugview), [ProcDump](https://learn.microsoft.com/en-us/sysinternals/downloads/procdump), and [LiveKd](https://learn.microsoft.com/en-us/sysinternals/downloads/livekd). You can get the entire suite or individual tools from the [SysInternals website](https://learn.microsoft.com/en-us/sysinternals/downloads/) or from [live.sysinternals.com](https://live.sysinternals.com). However, these methods require manual updates when new versions are available. A more convenient way to keep the tools up to date is to install them from [Microsoft Store](https://www.microsoft.com/store/apps/9p7knl5rwt25).\r\n\r\nTo get the most out of Process Monitor and Process Explorer, you need to set up symbol resolution correctly. The default settings do not use the Microsoft symbol store, so you need to adjust them in the options or import the registry keys shown below (after installing Debugging Tools for Windows):\r\n\r\n```\r\n[HKEY_CURRENT_USER\\Software\\Sysinternals\\Process Explorer]\r\n\"DbgHelpPath\"=\"C:\\\\Program Files (x86)\\\\Windows Kits\\\\10\\\\Debuggers\\\\x64\\\\dbghelp.dll\"\r\n\"SymbolPath\"=\"SRV*C:\\\\symbols\\\\dbg*http://msdl.microsoft.com/download/symbols\"\r\n\r\n[HKEY_CURRENT_USER\\Software\\Sysinternals\\Process Monitor]\r\n\"DbgHelpPath\"=\"C:\\\\Program Files (x86)\\\\Windows Kits\\\\10\\\\Debuggers\\\\x64\\\\dbghelp.dll\"\r\n\"SymbolPath\"=\"SRV*C:\\\\symbols\\\\dbg*http://msdl.microsoft.com/download/symbols\"\r\n```\r\n\r\n## Configuring post-mortem debugging\r\n\r\nWe all experience application failures from time to time. When it happens, Windows collectes some data about a crash and saves it to the event log. It usually lacks details required to fully understand the root cause of an issue. Fortunately, we have options to replace this scarse report with, for example, a memory dump. One way to accomplish that is by configuring **Windows Error Reporting** . The commands below will enable minidump collection to a C:\\Dumps folder on a process failure:\r\n\r\n```shell\r\nreg.exe add \"HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\" /v DumpType /t REG_DWORD /d 1 /f\r\nreg.exe add \"HKLM\\Software\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\" /v DumpFolder /t REG_EXPAND_SZ /d C:\\dumps /f\r\n```\r\n\r\nThe available settings are listed and explained in the [WER documentation](https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps). Note, that by creating a subkey with an application name (for example, `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\test.exe`), you may customize WER settings per individual applications.\r\n\r\n[ProcDump](https://learn.microsoft.com/en-us/sysinternals/downloads/procdump) is an alternative to WER. You could install it as an [automatic debugger](https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging), which Windows will run whenever a critical error occurs in an application. Example install command (-u to uninstall):\r\n\r\n```shell\r\nprocdump -i C:\\Dumps\r\n```\r\n\r\nThese dumps can take up a lot of disk space over time, so you should either delete the old files periodically, or set up a task scheduler job that does it for you.\r\n"
},
{
"path": "guides/diagnosing-dotnet-apps.md",
"content": "---\nlayout: page\ntitle: Diagnosing .NET applications\ndate: 2024-01-01 08:00:00 +0200\n---\n\n{% raw %}\n\n:point_right: I also authored the **[.NET Diagnostics Expert](https://diagnosticsexpert.com/?utm_source=debugrecipes&utm_medium=banner&utm_campaign=general) course**, available at Dotnetos :hot_pepper: Academy. Apart from the theory, it contains lots of demos and troubleshooting guidelines. Check it out if you're interested in learning .NET troubleshooting. :point_left:\n\n**Table of contents:**\n\n\n\n- [General .NET debugging tips](#general-net-debugging-tips)\n - [Loading the SOS extension into WinDbg](#loading-the-sos-extension-into-windbg)\n - [Manually loading symbol files for .NET Core](#manually-loading-symbol-files-for-net-core)\n - [Disabling JIT optimization](#disabling-jit-optimization)\n - [Decoding managed stacks in Sysinternals](#decoding-managed-stacks-in-sysinternals)\n - [Check runtime version](#check-runtime-version)\n - [Debugging/tracing a containerized .NET application \\(Docker\\)](#debuggingtracing-a-containerized-net-application-docker)\n- [Diagnosing exceptions or erroneous behavior](#diagnosing-exceptions-or-erroneous-behavior)\n - [Using Time Travel Debugging \\(TTD\\)](#using-time-travel-debugging-ttd)\n - [Collecting a memory dump](#collecting-a-memory-dump)\n - [Analysing exception information](#analysing-exception-information)\n- [Diagnosing hangs](#diagnosing-hangs)\n - [Listing threads call stacks](#listing-threads-call-stacks)\n - [Finding locks in managed code](#finding-locks-in-managed-code)\n- [Diagnosing waits or high CPU usage](#diagnosing-waits-or-high-cpu-usage)\n- [Diagnosing managed memory leaks](#diagnosing-managed-memory-leaks)\n - [Collecting memory snapshots](#collecting-memory-snapshots)\n - [Analyzing collected snapshots](#analyzing-collected-snapshots)\n- [Diagnosing issues with assembly loading](#diagnosing-issues-with-assembly-loading)\n - [Troubleshooting loading with EventPipes/ETW \\(.NET\\)](#troubleshooting-loading-with-eventpipesetw-net)\n - [Troubleshooting loading using ETW \\(.NET Framework\\)](#troubleshooting-loading-using-etw-net-framework)\n - [Troubleshooting loading using Fusion log \\(.NET Framework\\)](#troubleshooting-loading-using-fusion-log-net-framework)\n - [GAC \\(.NET Framework\\)](#gac-net-framework)\n - [Find assembly in cache](#find-assembly-in-cache)\n - [Uninstall assembly from cache](#uninstall-assembly-from-cache)\n- [Diagnosing network connectivity issues](#diagnosing-network-connectivity-issues)\n - [.NET Core](#net-core)\n - [.NET Framework](#net-framework)\n- [ASP.NET Core](#aspnet-core)\n - [Collecting ASP.NET Core logs](#collecting-aspnet-core-logs)\n - [ILogger logs](#ilogger-logs)\n - [DiagnosticSource logs](#diagnosticsource-logs)\n - [Collecting ASP.NET Core performance counters](#collecting-aspnet-core-performance-counters)\n- [ASP.NET \\(.NET Framework\\)](#aspnet-net-framework)\n - [Examining ASP.NET process memory \\(and dumps\\)](#examining-aspnet-process-memory-and-dumps)\n - [Profiling ASP.NET](#profiling-aspnet)\n - [Application instrumentation](#application-instrumentation)\n - [ASP.NET ETW providers](#aspnet-etw-providers)\n - [Collect events using the Perfecto tool](#collect-events-using-the-perfecto-tool)\n - [Collect events using FREB](#collect-events-using-freb)\n\n\n\n## General .NET debugging tips\n\n### Loading the SOS extension into WinDbg\n\nWhen debugging a **.NET Framework application**, WinDbgX should automatically find a correct version of the SOS.dll. If it fails to do so and your .NET Framework version matches the one of the target app, use the following command:\n\n```\n.loadby sos mscorwks (.NET 2.0/3.5)\n.loadby sos clr (.NET 4.0+)\n```\n\nFor **.NET Core**, you need to download and install the **dotnet-sos** tool. The install command informs how to load SOS into WinDbg, for example:\n\n```\n> dotnet tool install -g dotnet-sos\n...\n> dotnet sos install\n...\nExecute '.load C:\\Users\\me\\.dotnet\\sos\\sos.dll' to load SOS in your Windows debugger.\nCleaning up...\nSOS install succeeded\n```\n\nSOS commands sometimes get overriden by other extensions help files. In such case, use **!sos.help \\[cmd\\]** command, for example, `!sos.help !savemodule`.\n\n### Manually loading symbol files for .NET Core\n\nI noticed that sometimes Microsoft public symbol servers do not have .NET Core dlls symbols. That does not allow WinDbg to decode native .NET stacks. Fortunately, we may solve this problem by precaching symbol files using the [dotnet-symbol](https://github.com/dotnet/symstore/tree/master/src/dotnet-symbol) tool. Assuming we set our `_NT_SYMBOL_PATH` to `SRV*C:\\symbols\\dbg*https://msdl.microsoft.com/download/symbols`, we need to run dotnet-symbol with the **--cache-directory** parameter pointing to our symbol cache folder (for example, `C:\\symbols\\dbg`):\n\n```\ndotnet-symbol --recurse-subdirectories --cache-directory c:\\symbols\\dbg -o C:\\temp\\toremove \"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\3.0.0\\*\"\n```\n\nWe may later remove the `C:\\temp\\toremove` folder as all PDB files are indexed in the cache directory. The output folder contains both DLL and PDB files, takes lots of space, and is often not required.\n\n### Disabling JIT optimization\n\nFor **.NET Core**, set the **COMPlus_JITMinOptsx** environment variable:\n\n```\nexport COMPlus_JITMinOpts=1\n```\n\nFor **.NET Framework**, you need to create an ini file. The ini file must have the same name as the executable with only extension changed to ini, eg. my.ini file will work with my.exe application.\n\n```\n[.NET Framework Debugging Control]\nGenerateTrackingInfo=1\nAllowOptimize=0\n```\n\n### Decoding managed stacks in Sysinternals\n\nAs of version 16.22 version, **Process Explorer** understands managed stacks and should display them correctly when you double click on a thread in a process.\n\n**Process Monitor**, unfortunately, lacks this feature. Pure managed modules will appear as `` in the call stack view. However, we may fix the problem for the ngened assemblies. First, you need to generate a .pdb file for the ngened assembly, for example, `ngen createPDB c:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\e2c5db271896923f5450a77229fb2077\\mscorlib.ni.dll c:\\symbols\\private`. Then make sure you have this path in your `_NT_SYMBOL_PATH` variable, for example, `C:\\symbols\\private;SRV*C:\\symbols\\dbg*http://msdl.microsoft.com/download/symbols`. If procmon still does not resolve the symbols, go to Options - Configure Symbols and reload the dbghelp.dll. I observe this issue in version 3.50.\n\n### Check runtime version\n\nFor .NET Framework 2.0, you could check the version of mscorwks in the file properties or, if in debugger, using lmmv. For .NET Framework 4.x, you need to check clr.dll (or the Release value under the `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full` key) and find it in the [Microsoft Docs](https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/versions-and-dependencies).\n\nIn .NET Core, we could run **dotnet --list-runtimes** command to list the available runtimes.\n\n### Debugging/tracing a containerized .NET application (Docker)\n\nWith the introduction of EventPipes in .NET Core 2.1, the easiest approach is to create a shared `/tmp` volume and use a sidecar diagnostics container. A sample Dockerfile.netdiag may look as follows:\n\n```\nFROM mcr.microsoft.com/dotnet/sdk:5.0 AS base\n\nRUN apt-get update && apt-get install -y lldb; \\\n dotnet tool install -g dotnet-symbol; \\\n dotnet tool install -g dotnet-sos; \\\n /root/.dotnet/tools/dotnet-sos install\n\nRUN dotnet tool install -g dotnet-counters; \\\n dotnet tool install -g dotnet-trace; \\\n dotnet tool install -g dotnet-dump; \\\n dotnet tool install -g dotnet-gcdump; \\\n echo 'export PATH=\"$PATH:/root/.dotnet/tools\"' >> /root/.bashrc\n\nENTRYPOINT [\"/bin/bash\"]\n```\n\nYou may use it to create a .NET diagnostics Docker image, for example:\n\n```\n$ docker build -t netdiag -f .\\Dockerfile.netdiag .\n```\n\nThen, create a `/tmp` volume and mount it into your .NET application container, for example:\n\n```\n$ docker volume create dotnet-tmp\n\n$ docker run --rm --name helloserver --mount \"source=dotnet-tmp,target=/tmp\" -p 13000:13000 helloserver 13000\n```\n\nAnd you are ready to run the diagnostics container and diagnose the remote application:\n\n```\n$ docker run --rm -it --mount \"source=dotnet-tmp,target=/tmp\" --pid=container:helloserver netdiag\n\nroot@d4bfaa3a9322:/# dotnet-trace ps\n 1 dotnet /usr/share/dotnet/dotnet \n```\n\nIf you only want to trace the application with **dotnet-trace**, consider using a shorter Dockerfile.nettrace file:\n\n```\nFROM mcr.microsoft.com/dotnet/sdk:5.0 AS base\n\nRUN dotnet tool install -g dotnet-trace\n\nENTRYPOINT [\"/root/.dotnet/tools/dotnet-trace\", \"collect\", \"-n\", \"dotnet\", \"-o\", \"/work/trace.nettrace\", \"@/work/input.rsp\"]\n```\n\nwhere input.rsp:\n\n```\n--providers Microsoft-Windows-DotNETRuntime:0x14C14FCCBD:4,Microsoft-DotNETCore-SampleProfiler:0xF00000000000:4\n```\n\nThe nettrace container will automatically start the tracing session enabling the providers from the input.rsp file. It also assumes the destination process name is dotnet:\n\n```\n$ docker build -t nettrace -f .\\Dockerfile.nettrace .\n\n$ docker run --rm --pid=container:helloserver --mount \"source=dotnet-tmp,target=/tmp\" -v \"$pwd/:/work\" -it nettrace\n\nProvider Name Keywords Level Enabled By\nMicrosoft-Windows-DotNETRuntime 0x00000014C14FCCBD Informational(4) --providers\nMicrosoft-DotNETCore-SampleProfiler 0x0000F00000000000 Informational(4) --providers\n\nProcess : /usr/share/dotnet/dotnet\nOutput File : /work/trace.nettrace\n[00:00:00:02] Recording trace 261.502 (KB)\nPress or to exit...11 (KB)\nStopping the trace. This may take up to minutes depending on the application being traced.\n```\n\n## Diagnosing exceptions or erroneous behavior\n\n### Using Time Travel Debugging (TTD)\n\nTime Travel Debugging is an excellent way of troubleshooting errors and exceptions. We can step through the code causing the problems at our own pace. I describe TTD in [a WinDbg guide](/guides/windbg). It is my preferred way of debugging issues in applications and I highly recommend giving it a try.\n\n### Collecting a memory dump\n\n**[dotnet-dump](https://docs.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump)** is one of the .NET diagnostics CLI tools. You may download it using curl or wget, for example: `curl -JLO https://aka.ms/dotnet-dump/win-x64`.\n\nTo create a full memory dump, run one of the commands:\n\n```\ndotnet-dump collect -p \ndotnet-dump collect -n \n```\n\nYou may create a heap-only memory dump by adding the **--type=Heap** option.\n\nCreatedump shares the location with the coreclr library, for example, for .NET 5: `/usr/share/dotnet/shared/Microsoft.NETCore.App/5.0.3/createdump` or `c:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\5.0.3\\createdump.exe`.\n\nTo create a full memory dump, run **createdump --full {process-id}**. With no options provided, it creates a memory dump with heap memory, which equals to **createdump --withheap {pid}**.\n\nThe .NET application may run **createdump** automatically on crash. We configure this feature through [environment variables](https://learn.microsoft.com/en-us/dotnet/core/diagnostics/collect-dumps-crash), for example:\n\n```shell\n# enable a memory dump creation on crash\nset DOTNET_DbgEnableMiniDump=1\n# when crashing, create a heap (2) memory dump, (4) for full memory dump\nset DOTNET_DbgMiniDumpType=2\n```\n\nApart from the .NET tools described above, you may create memory dumps with tools described in [the guide dedicated to diagnosing native Windows applications](diagnosing-native-windows-apps). As those tools usually do not understand .NET memory layout, I recommend creating full memory dumps to have all the necessary metadata for later analysis.\n\n### Analysing exception information\n\nFirst make sure with the **!Threads** command (SOS) that your current thread is the one with the exception context:\n\n```\n0:000> !Threads\nThreadCount: 2\nUnstartedThread: 0\nBackgroundThread: 1\nPendingThread: 0\nDeadThread: 0\nHosted Runtime: no\n\nID OSID ThreadOBJ State GC Mode GC Alloc Context Domain Count Apt Exception\n0 1 1ec8 000000000055adf0 2a020 Preemptive 0000000002253560:0000000002253FD0 00000000004fb970 0 Ukn System.ArgumentException 0000000002253438\n5 2 1c74 00000000005851a0 2b220 Preemptive 0000000000000000:0000000000000000 00000000004fb970 0 Ukn (Finalizer)\n```\n\nIn the snippet above we can see that the exception was thrown on the thread no. 0 and this is our currently selected thread (in case it's not, we would use **\\~0s** command) so we may use the **!PrintException** command from SOS (alias **!pe**), for example:\n\n```\n0:000> !pe\nException object: 0000000002253438\nException type: System.ArgumentException\nMessage: v should not be null\nInnerException: \nStackTrace (generated):\n\nStackTraceString: \nHResult: 80070057\n```\n\nTo see the full managed call stack, use the **!CLRStack** command. By default, the debugger will stop on an unhandled exception. If you want to stop at the moment when an exception is thrown (first-chance exception), run the **sxe clr** command at the beginning of the debugging session.\n\n## Diagnosing hangs\n\nWe usually start the analysis by looking at the threads running in a process. The call stacks help us identify blocked threads. We can use TTD, thread-time trace, or memory dumps to learn about what threads are doing. In the follow-up sections, I will describe how to find lock objects and relations between threads in memory dumps.\n\n### Listing threads call stacks\n\nTo list native stacks for all the threads in **WinDbg**, run: **~\\*k** or **~\\*e!dumpstack**. If you are interested only in managed stacks, you may use the **~\\*e!clrstack** SOS command. The **dotnet-dump**'s **analyze** command provides a super useful parallel stacks command:\n\n```\n> dotnet dump analyze test.dmp\n> pstacks\n________________________________________________\n ~~~~ 5cd8\n 1 System.Threading.Monitor.Enter(Object, Boolean ByRef)\n 1 deadlock.Program.Lock2()\n ~~~~ 3e58\n 1 System.Threading.Monitor.Enter(Object, Boolean ByRef)\n 1 deadlock.Program.Lock1()\n 2 System.Threading.Tasks.Task.InnerInvoke()\n ...\n 2 System.Threading.ThreadPoolWorkQueue.Dispatch()\n 2 System.Threading._ThreadPoolWaitCallback.PerformWaitCallback()\n```\n\nIn **LLDB**, we may show native call stacks for all the threads with the **bt all** command. Unfortunately, if we want to use !dumpstack or !clrstack commands, we need to manually switch between threads with the thread select command.\n\n### Finding locks in managed code\n\nYou may examine thin locks using **!DumpHeap -thinlocks**. To find all sync blocks, use the **!SyncBlk -all** command.\n\nOn .NET Framework, you may also use the **!dlk** command from the SOSEX extension. It is pretty good in detecting deadlocks, for example:\n\n```\n0:007> .load sosex\n0:007> !dlk\nExamining SyncBlocks...\nScanning for ReaderWriterLock(Slim) instances...\nScanning for holders of ReaderWriterLock locks...\nScanning for holders of ReaderWriterLockSlim locks...\nExamining CriticalSections...\nScanning for threads waiting on SyncBlocks...\nScanning for threads waiting on ReaderWriterLock locks...\nScanning for threads waiting on ReaderWriterLocksSlim locks...\n*** WARNING: Unable to verify checksum for C:\\WINDOWS\\assembly\\NativeImages_v4.0.30319_32\\System\\3a4f0a84904c4b568b6621b30306261c\\System.ni.dll\n*** WARNING: Unable to verify checksum for C:\\WINDOWS\\assembly\\NativeImages_v4.0.30319_32\\System.Transactions\\ebef418f08844f99287024d1790a62a4\\System.Transactions.ni.dll\nScanning for threads waiting on CriticalSections...\n*DEADLOCK DETECTED*\nCLR thread 0x1 holds the lock on SyncBlock 011e59b0 OBJ:02e93410[System.Object]\n...and is waiting on CriticalSection 01216a58\nCLR thread 0x3 holds CriticalSection 01216a58\n...and is waiting for the lock on SyncBlock 011e59b0 OBJ:02e93410[System.Object]\nCLR Thread 0x1 is waiting at clr!CrstBase::SpinEnter+0x92\nCLR Thread 0x3 is waiting at System.Threading.Monitor.Enter(System.Object, Boolean ByRef)(+0x17 Native)\n```\n\nWhen debugging locks in code that is using tasks it is often necessary to examine execution contexts assigned to the running threads. I prepared a simple script which lists threads with their execution contexts. You only need (as in previous script) to find the MT of the Thread class in your appdomain, e.g.\n\n```\n0:036> !Name2EE mscorlib.dll System.Threading.Thread\nModule: 72551000\nAssembly: mscorlib.dll\nToken: 020001d1\nMethodTable: 72954960\nEEClass: 725bc0c4\nName: System.Threading.Thread\n```\n\nAnd then paste it in the scripts below:\n\nx86 version:\n\n```\n.foreach ($addr {!DumpHeap -short -mt }) { .printf /D \"Thread: %i; Execution context: %p\\n\", poi(${$addr}+28), poi(${$addr}+8), poi(${$addr}+8) }\n```\n\nx64 version:\n\n```\n.foreach ($addr {!DumpHeap -short -mt }) { .printf /D \"Thread: %i; Execution context: %p\\n\", poi(${$addr}+4c), poi(${$addr}+10), poi(${$addr}+10) }\n```\n\nNotice that the thread number from the output is a managed thread id and to map it to the windbg thread number you need to use the !Threads command.\n\n## Diagnosing waits or high CPU usage\n\nDotnet-trace allows us to enable the runtime CPU sampling provider (**Microsoft-DotNETCore-SampleProfiler**). However, using it might impact application performance as it internally calls **ThreadSuspend::SuspendEE** to suspend managed code execution while collecting the samples. Although it is a sampling profiler, it is a bit special. It runs on a separate thread and collects stacks of all the managed threads, even the waiting ones. This behavior resembles the thread time profiler. Probably that's the reason why PerfView shows us the **Thread Time** view when opening the .nettrace file.\n\nSample collect examples:\n\n```bash\ndotnet-trace collect --profile cpu-sampling -p 12345\ndotnet-trace collect --profile cpu-sampling -- myapp.exe\n```\n\nDotnet-trace does not automatically enable DiagnosticSource or TPL providers. Therefore, if we want to see activities in PerfView, we need to turn them on manually, for example:\n\n```bash\ndotnet-trace collect --profile cpu-sampling --providers \"Microsoft-Diagnostics-DiagnosticSource:0xFFFFFFFFFFFFF7FF:4:FilterAndPayloadSpecs=HttpHandlerDiagnosticListener/System.Net.Http.Request@Activity2Start:Request.RequestUri\\nHttpHandlerDiagnosticListener/System.Net.Http.Response@Activity2Stop:Response.StatusCode,System.Threading.Tasks.TplEventSource:1FF:5\" -n testapp\n```\n\nFor diagnosing CPU problems in .NET applications running on Windows, we may also rely on ETW (Event Tracing for Windows). In [a guide dedicated to diagnosing native applications](diagnosing-native-windows-apps), I describe how to collect and analyze ETW traces.\n\nOn Linux, we additionally have the [perfcollect](https://docs.microsoft.com/en-us/dotnet/core/diagnostics/trace-perfcollect-lttng) script. It is the easiest way to use Linux Kernel perf_events for diagnosing .NET apps. In my tests, however, I found that quite often, it did not correctly resolve .NET stacks.\n\nTo collect CPU samples with perfcollect, use the **perfcollect collect** command. To also enable the Thread Time events, add the **-threadtime** option. If only possible, I would recommend opening the traces (even the ones from Linux) in PerfView. But if it's impossible, try the **view** command of the perfcollect script, for example:\n\n```bash\nperfcollect view sqrt.trace.zip -graphtype caller\n```\n\nUsing the **-graphtype** option, we may switch from the top-down view (`caller`) to the bottom-up view (`callee`).\n\n## Diagnosing managed memory leaks\n\n### Collecting memory snapshots\n\nIf we are interested only in GC Heaps, we may create the GC Heap snapshot using **PerfView**:\n\n perfview heapsnapshot \n\nIn GUI, we may use the menu option: **Memory -> Take Heap Snapshot**.\n\nFor .NET Core applications, we have a CLI tool: **dotnet-gcdump**, which you may get from the https://aka.ms/dotnet-gcdump/runtime-id URL, for example, https://aka.ms/dotnet-gcdump/linux-x64. And to collect the GC dump we need to run one of the commands:\n\n```\ndotnet-gcdump -p \ndotnet-gcdump -n \n```\n\nSometimes managed heap is not enough to diagnose the memory leak. In such situations, we need to create a memory dump, as described in [a guide dedicated to diagnosing native applications](diagnosing-native-windows-apps). \n\n### Analyzing collected snapshots\n\n**PerfView** can open GC Heap snapshots and dumps. If you only have a memory dump, you may convert a memory dump file to a PerfView snapshot using **PerfView HeapSnapshotFromProcessDump ProcessDumpFile {DataFile}** or using the GUI options **Memory -> Take Heap Snapshot from Dump**.\n\nI would like to bring your attention to an excellent diffing option available for heap snapshots. Imagine you made two heap snapshots of the leaking process:\n\n- first named LeakingProcess.gcdump\n- second (taken a minute later) named LeakingProcess.1.gcdump\n\nYou may now run PerfView, open two collected snapshots, switch to the LeakingProcess.1.gcdump and under the Diff menu you should see an option to diff this snapshot with the baseline:\n\n\n\nAfter you choose it, a new window will pop up with a tree of objects which have changed between the snapshots. Of course, if you have more snapshots you can generate diffs between them all. A really powerful feature!\n\n**WinDbg** allows you to analyze the full memory dumps. **Make sure that bitness of the dump matches bitness of the debugger.** Then load the SOS extension and identify objects which use most of the memory using **!DumpHeap -stat**. Later, analyze the references using the **!GCRoot** command.\n\nOther SOS commands for analyzing the managed heap include:\n\n```\n!EEHeap [-gc] [-loader]\n!HeapStat [-inclUnrooted | -iu]\n\n!DumpHeap [-stat]\n [-strings]\n [-short]\n [-min ]\n [-max ]\n [-live]\n [-dead]\n [-thinlock]\n [-startAtLowerBound]\n [-mt ]\n [-type ]\n [start [end]]\n\n!ObjSize [
![\"Creative](\"https://i.creativecommons.org/l/by/4.0/88x31.png\")