Jump to content











Photo
- - - - -

To access the MS Symbol Server from Winpe's "System" session


  • Please log in to reply
2 replies to this topic

#1 noel

noel

    Frequent Member

  • Advanced user
  • 147 posts
  • Location:nantes
  •  
    France

Posted 12 December 2020 - 10:24 PM

Hi,

First, sorry for my poor english.

Perhaps useless, as many thing i do.

 

When I encounter an anomaly in Winpe, I often use Procmon or Windbg.
But in the System session, I can't access the MS symbols server directly
So, I used the cache but it required me to collect the symbols beforehand from the session "ADM" to fill the cache.

 

The 20h2 version doesn't bring any great new features other than edge (about 300/400Mb!).
Also, to keep my mind busy in these times of Covid19, I did some research and testing on this subject.
Since I don't think anyone's research is interested, I give the result directly.

 

I use symchk.exe for demonstration here because it's faster.
The environment variable allows you to create the log file for Dbghelp.

 

The solution is to change a single key.I wish I'd known her before today.

 

Here's the result:

 

 

 

X:\windows\system32>set DBGHELP_LOG=\DBGHELP.LOG

X:\windows\system32>X:\Debugger\symchk.exe x:\debugger\symchk.exe /s srv*https://msdl.microso...ownload/symbols
SYMCHK: symchk.exe           FAILED  - SymChk.pdb mismatched or not found

SYMCHK: FAILED files = 1
SYMCHK: PASSED + IGNORED files = 0

X:\windows\system32>reg add "hklm\SOFTWARE\Microsoft\Symbol Server"  /v NoInternetProxy /t REG_DWORD /d 1
 

X:\windows\system32>X:\Debugger\symchk.exe x:\debugger\symchk.exe /s srv*https://msdl.microso...ownload/symbols

SYMCHK: FAILED files = 0
SYMCHK: PASSED + IGNORED files = 1

The log file confirms access after the key has been changed.

 

 

X:\windows\system32>type \DBGHELP.LOG

DBGHELP: new session: Fri Dec 11 10:43:14 2020
DBGHELP: Symbol Search Path: srv*https://msdl.microso...ownload/symbols
DBGHELP: Symbol Search Path: srv*https://msdl.microso...ownload/symbols
DBGHELP: No header for x:\debugger\symchk.exe.  Searching for image on disk
DBGHELP: x:\debugger\symchk.exe - OK
SYMSRV:  BYINDEX: 0x1
         https://msdl.microso...ownload/symbols
         SymChk.pdb
         F371EE66D4C70D7E1558DE921D7E36D11
SYMSRV:  UNC: X:\Debugger\sym\SymChk.pdb\F371EE66D4C70D7E1558DE921D7E36D11\SymChk.pdb - path not found
SYMSRV:  UNC: X:\Debugger\sym\SymChk.pdb\F371EE66D4C70D7E1558DE921D7E36D11\SymChk.pd_ - path not found
SYMSRV:  UNC: X:\Debugger\sym\SymChk.pdb\F371EE66D4C70D7E1558DE921D7E36D11\file.ptr - path not found
SYMSRV:  WinHttp interface using proxy server: none
SYMSRV:  HTTPGET: /download/symbols/index2.txt
SYMSRV:  WinHttpSendRequest: 800C2EE7 - ERROR_WINHTTP_NAME_NOT_RESOLVED
SYMSRV:  HTTPGET: /download/symbols/SymChk.pdb/F371EE66D4C70D7E1558DE921D7E36D11/SymChk.pdb
SYMSRV:  WinHttpSendRequest: 800C2EE7 - ERROR_WINHTTP_NAME_NOT_RESOLVED
SYMSRV:  RESULT: 0x800C2EE7
DBGHELP: symchk - no symbols loaded
DBGHELP: closing session: Fri Dec 11 10:43:16 2020

DBGHELP: new session: Fri Dec 11 10:46:16 2020
DBGHELP: Symbol Search Path: srv*https://msdl.microso...ownload/symbols
DBGHELP: Symbol Search Path: srv*https://msdl.microso...ownload/symbols
DBGHELP: No header for x:\debugger\symchk.exe.  Searching for image on disk
DBGHELP: x:\debugger\symchk.exe - OK
SYMSRV:  BYINDEX: 0x1
         https://msdl.microso...ownload/symbols
         SymChk.pdb
         F371EE66D4C70D7E1558DE921D7E36D11
SYMSRV:  UNC: X:\Debugger\sym\SymChk.pdb\F371EE66D4C70D7E1558DE921D7E36D11\SymChk.pdb - path not found
SYMSRV:  UNC: X:\Debugger\sym\SymChk.pdb\F371EE66D4C70D7E1558DE921D7E36D11\SymChk.pd_ - path not found
SYMSRV:  UNC: X:\Debugger\sym\SymChk.pdb\F371EE66D4C70D7E1558DE921D7E36D11\file.ptr - path not found
SYMSRV:  HTTPGET: /download/symbols/index2.txt
SYMSRV:  HTTPGET: /download/symbols/SymChk.pdb/F371EE66D4C70D7E1558DE921D7E36D11/SymChk.pdb
SYMSRV:  SymChk.pdb from https://msdl.microso...wnload/symbols:151552 bytes - copied     
SYMSRV:  PATH: X:\Debugger\sym\SymChk.pdb\F371EE66D4C70D7E1558DE921D7E36D11\SymChk.pdb
SYMSRV:  RESULT: 0x00000000
DBGHELP: symchk - public symbols 
        X:\Debugger\sym\SymChk.pdb\F371EE66D4C70D7E1558DE921D7E36D11\SymChk.pdb 

 

Now I can play more easily with my favorite tools.

No BSOD, i'm happy.
 



#2 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 2925 posts
  • Location:Nantes - France
  •  
    France

Posted 13 December 2020 - 07:42 PM

Hi Noel,

 

Not so useless :)

I use symbols as well for some of my proggies (here and here for example).

 

Actually I can share some of my findings as well : 

-there is dbghelp (the one included in windows) and dbghelp (the one included in MS Windbg - the later being much more stable/complete/updated

-with the default version, i need to set the the proxy (or indicate there is no proxy)

-with all versions, i need to set this variable if i want things to work under all circumstances: _NT_SYMBOL_PATH= 'SRV*C:\\WINDOWS\\TEMP*http://msdl.microsof...nload/symbols' 

 

Thanks for sharing.

 

Regards,

Erwan



#3 noel

noel

    Frequent Member

  • Advanced user
  • 147 posts
  • Location:nantes
  •  
    France

Posted 13 December 2020 - 08:15 PM

Hi Erwan,

 

I always use in winpe the directory x:\debugger that comes from SDK (or ADK?)  with the same version or associated winpe.

Note: because I use it extensively

   I set up Procmon to use this x:\debugger\dbgelp.dll

   Procmon uses by default x:\windowd\temp\sym as cache directory
 

I set up windbg to use the MS symbol server with or without a cache.  No problem in fact for me.

But I think I write in my next builder winpe this environmental variable because I'm lazy to often rewrite this path

At home, I don't have a proxy.
And only in the system session in winpe, before I found the right key, I wasn't able to access MS Symbols Server

So it's hard for me to understand that you wrote:

"-With the default version, I need to set the proxy (or indicate that there is no proxy)"

In the case of the System session, how and what key or item did you set to access MS Symbols Server?

See you later in 2021 after covid






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users