Logparser automated within Windbg


The .shell command in Windbg allows to pipe the output of a debugger command to an external process and automatically print its output back inside the debugger window; a useful example is the command FIND, for example if we want to parse the stack for every thread and find every call where the word “isapi” is involved:

0:036> .shell -ci "~*kpL1000" find /i "isapi"
013cff78 1004f94e ISAPI_Rewrite!TerminateFilter+0x3cef
013cffb0 1004f9f3 ISAPI_Rewrite!TerminateFilter+0x4462e
013cffec 00000000 ISAPI_Rewrite!TerminateFilter+0x446d3
0144ff78 1004f94e ISAPI_Rewrite+0x7763
0144ffb0 1004f9f3 ISAPI_Rewrite!TerminateFilter+0x4462e
0144ffec 00000000 ISAPI_Rewrite!TerminateFilter+0x446d3
.shell: Process exited

Incidentally also LogParser (one of my favorite debugging tools) can accept data to be parsed from the input stream using the STDIN keyword, so for example refactoring a script I posted some time ago we can find out if there are any duplicated assemblies in our application pool that should be moved to the GAC:

0:000> .shell -ci "!peb" logparser "select extract_filename(text) as Duplicated_Assemblies, count(Duplicated_Assemblies) as Hits from STDIN where index_of(text, 'temporary asp.net files') > 0 group by Duplicated_Assemblies having count(Duplicated_Assemblies) > 1" -i:textline -o:nat -rtp:-1
Duplicated_Assemblies Hits
---------------------------- ----
errormanager.dll 2
winformsui.dll 2
externallibraryinterface.dll 2
ptshopengine.dll 2
schemas.dll 2
dbengine.dll 2
flowservice.dll 2

Statistics:
-----------
Elements processed: 182
Elements output: 7
Execution time: 0.02 seconds

.shell: Process exited

 

Following the same principle, we can find out if there are strong named assemblies in our /bin folder as follows:

0:000> .shell -ci "!dumpdomain" find /i "shared domain"
Shared Domain: 0x793f2aa8
.shell: Process exited




0:000> .shell -ci "!dumpdomain 0x793f2aa8" logparser "SELECT DISTINCT EXTRACT_FILENAME(text) as Strong_Named_Assemblies_In_/bin FROM STDIN WHERE INDEX_OF(to_lowercase(text), 'temporary asp.net files') > 0" -i:TEXTLINE -o:NAT -RTP:-1
Strong_Named_Assemblies_In_/bin
-----------------------------------------
crypto.dll
radplaceholder.dll
scms.dll
sqldac.dll
scontrollibrary.dll
spell.dll
editor.dll
scms.resources.dll

Statistics:
-----------
Elements processed: 164
Elements output: 8
Execution time: 0.01 seconds

.shell: Process exited

 

Instead of typing the whole command you can save it in a text file and execute it directly within Windbg with a command like “$><c:\debuggers\snassemblies.txt”.

 

Carlo

Quote of the day:

Setting a good example for children takes all the fun out of middle age. – William Feather