Category Archives: Allgemein

WinDbg exception codes

People sometimes wonder what exception number is behind the event codes of WinDbg. Since I didn’t find a list in WinDbg’s help file, I post a list here. Many error codes are defined in NtStatus.h. Some of the codes are still missing; if you know it or find anything else missing, you can send an email to windbg.yyyy-mm-dd@lockerflockig.de where yyyy-mm-dd is the current date.

WinDbg event code Exception number
3c (port disconnected) 0xC0000037
If you want to break on 0x0000003C, specify 0x3c
aph (Application hang) 0xCFFFFFFF
asrt (Assertion failure) 0xC0000420
av (Access Violation) 0xC0000005
bpe (Break instruction) 0x80000003
bpec (Break instruction continue) N/A, just defines how to continue bpe
cce (Control-C / Control-Break exception) 0x40010008 / 0x40010005
WinDbg seems to have the same name for both.
If you want to break on 0x00000CCE, specify 0xcce
cc (Control-C / Control-Break continue) If you want to break on 0x000000CC, specify 0xcc
ch (Invalid handle) 0xC0000008
clr (.NET exception) 0xE0434F4D
This is “.COM” in ASCII.
clrn (CLR notification) 0xE0444143
This is “.DAC” in ASCII.
dm (Data misaligned) 0x80000002
dbce (Debugger command exception) 0x40010009
dz (Divide by zero) 0xC0000094
eh (C++ EH exception) 0xE06D7363
This is “.MSC” in ASCII
gp (Guard page violation) 0x80000001
hc (Handle continue) N/A, just defines how to continue ch
ii (Illegal instruction) 0xC000001D
iov (Integer overflow) 0xC0000095
isc (Invalid system call) 0xC000001C
lsq (Lock sequence invalid) 0xC000001E
rto (Runtime originate error) 0x40080201
rtt (Runtime transform error)
sbo (Stack buffer overrun) 0xC0000409
sov (Stack overflow) 0xC00000FD
Note that there is also another stack overflow exception,
0xE053534F (ASCII “.SSO”)
svh (Service hang)
sse (Single step execution) 0x80000004
ssec (Single step continue) N/A, just defines how to continue sse
vcpp (Visual C++) 0x406D1388
vs (Verifier stop) 0xC0000421
wkd (Wake debugger) 0x80000007
wob (WOW breakpoint) 0x4000001F
wos (WOW single step) 0x4000001E

The following events are not exceptions, so they have no exception number:

WinDbg event code Exception number
ct (Create thread) N/A
cpr (Create process) N/A
ct (Create thread) N/A
epr (Exit process) N/A
et (Exit thread) N/A
ibr (Initial breakpoint) N/A
iml (Initial module load) N/A
ld (Load module) N/A
out (Debug output) N/A
ser (System error) N/A
ud (Unload module) N/A

Process Monitor Log Analyzer

Process Monitor Log Analyzer LogoProcess Monitor is a good tool to detect missing files of your application. However, the process to find the one which is causing the issue is tedious. Starting from the bottom, you go through all the files which have a “Path not found” or “Name not found” error message.

We have automated this process and are glad to give you a convenient tool that displays all files which had at least one error. The result is grouped by process and sorted by the number of  errors descending, so typically the culprit is listed on top, like in the screenshot:

Process Monitor Log Analyzer Screenshot

Process Monitor Log Analyzer Screenshot

We’re also merging DLL, EXE and SYS files into one category, since those typically belong together. This makes the result even better.

Steps to use Process Monitor Log Analyzer:

  1. Start SysInternals Process Monitor
  2. Set a filter for your process to get rid of other noise
  3. Reproduce the issue, typically just run your application
  4. Save the Process Monitor result as XML file
  5. Load the XML file in Log Analyzer

You can filter the events by right-clicking one of the grouping boxes and selecting “Filter Editor…”.

Download

Procmon Log Analyzer Setup 0.2.3.42 (6.5 MB)

License

Creative Commons License
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.

This means: you can use it commercially, redistribute it by naming the author (just link here, please) but are not allowed to modify it. Source Code will not be provided.

Bugs

You can report bugs to procmonanalyzer.yyyy-mm-dd@lockerflockig.de, where yyyy-mm-dd is the current date (prevents spam) or register an account at our Bug Tracker.

System requirements

  • .NET framework 4.5 (not included in the installer)
  • Windows Vista SP2 or higher (tested on Windows 7 SP1 x64, 8.1 x32 and 10 x64 Preview)

Running programs from a full hard disk

Recently it happend that my hard disk was completely full: 0 bytes free. I thought this wouldn’t be a big issue for running programs, because I have 16 GB RAM (almost free) and another 8 GB of swap file. And it’s a 64 bit operating system of course.

For some programs such as Adobe Reader, Visual Studio 2010, Exact Audio Copy, WinDbg and probably a lot of others, it’s no problem starting without hard disk space. Of course they won’t be able to save any data on the empty drive.

Other programs however, have issues: Windows Image Viewer will not display pictures any more and Paint.NET crashes. Actually it crashes twice: first it crashes, then tries to write a crash report and crashes again because there’s no disk space for saving the crash report.

At least it is quite clear that those programs do not work well under these circumstances. Even worse is the following situation: you can start Microsoft Paint (pbrush.exe) and create pictures. Some of the pictures below were created with MS Paint. Unfortunately, Paint was unable to save some pictures correctly: the result was an empty (0 bytes) file on hard disk (although I saved it onto an external disk).

What does this mean for debugging? Well, consider an empty disk if your program does not start, even in case there’s enough memory for it to fit in.