4

I got a dump file of my Application Process. And I processed it with debugdiag 2.0 and windbg. But, I got a different thread call stack. So, I am very confused.

Can anybody tell me why this happen?

below is windbg's thread call stack

.  0  Id: 16ec.1760 Suspend: 0 Teb: 00000000`7ec1a000 Unfrozen
 # Call Site
00 wow64cpu!CpupSyscallStub
01 wow64cpu!ReadWriteFileFault
02 wow64!RunCpuSimulation
03 wow64!Wow64LdrpInitialize
04 ntdll!LdrpInitializeProcess
05 ntdll!_LdrpInitialize
06 ntdll!LdrInitializeThunk

And below is debugdiag's thread call stack

Thread 0 - System ID 5984

Entry point IMCM+1e05f Create time 2018-04-24 AM 10:54:21 Time spent in user mode 0 Days 00:00:00.125 Time spent in kernel mode 0 Days 00:00:00.046

This thread is not fully resolved and may or may not be a problem. Further analysis of these threads may be required.

ntdll_77720000!NtReadFile+c 
KERNELBASE!ReadFile+79 
msvcr110!_read_nolock+272 
msvcr110!_read+a9 
msvcr110!_filbuf+70 
msvcr110!_fgetwc_nolock+114 
msvcr110!_getws_helper+63 
msvcr110!_getws_s+10 
IMCM+18ec 
IMSvcSrvLib!CSvcApp::Run+5c 
IMComLib!CIMBaseApp::Main+62 
IMCM+15515 
IMCM+1dff7 
kernel32!BaseThreadInitThunk+24 
ntdll_77720000!__RtlUserThreadStart+2f 
ntdll_77720000!_RtlUserThreadStart+1b
Choi
  • 41
  • 1
  • 2
    Is the application that you got a dump of a 32-bit or a 64-bit application The wow64cpu output suggests that the bitness of the dump may be incorrect. If it is a 32-bit application, then you need to take a 32-bit dump of it; if it is a 64-bit application, then you need to take a 64-bit dump of it. Also, when analyzing the dump, you need to use the same bitness of WinDbg as well. I am not sure about debugdiag, but the situation is probably the same. – Dono Apr 27 '18 at 04:04
  • 4
    @Dono is most likely correct. If you capture a 32-bit dump, it should be a lot easier to figure out what's going on. In the meantime, you can run the WinDbg command [`!wow64exts.sw`](https://blogs.msdn.microsoft.com/msdnforum/2010/03/14/how-do-i-switch-to-32bit-mode-when-i-use-windbg-to-debug-a-dump-of-a-32bit-application-running-on-an-x64-machine/) to switch to 32bit mode before printing the callstack. This won't be quite the same as debugging a 32bit dump (some extensions might not work), but it should at least help. – Sean Cline Apr 27 '18 at 10:35

0 Answers0