What is mscorwks_ntdef.dll?

Ok, file this one under debugger trivia. 

If you are debugging a 32-bit CLR process from a 64-bit native (Windbg) debugger, you will notice:

 

0:040> lmvm mscorwks_ntdef
start end module name
00000000`69480000 00000000`69a10000 mscorwks_ntdef (deferred)
Image path: mscorwks_ntdef.dll
Image name: mscorwks_ntdef.dll
Timestamp: Fri Jul 25 06:58:48 2008 (4889DC18)
CheckSum: 00597CC4
ImageSize: 00590000
File version: 2.0.50727.3053
Product version: 2.0.50727.3053
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® .NET Framework
InternalName: mscorwks.dll
OriginalFilename: mscorwks.dll
ProductVersion: 2.0.50727.3053
FileVersion: 2.0.50727.3053 (netfxsp.050727-3000)
FileDescription: Microsoft .NET Runtime Common Language Runtime - WorkStation
LegalCopyright: © Microsoft Corporation. All rights reserved.
Comments: Flavor=Retail

What is this mscorwks_ntdef?  It is debugger hocus pocus due to a bug.  Run this command to make it go away:

0:040> .reload /s
.....
Loading Wow64 Symbols
................................................................
................................................................
................................................................

 

Now you will see the correct output for mscorwks module:

 

0:040> lmvm mscorwks_ntdef
start end module name
0:040> lmvm mscorwks
start end module name
00000000`69480000 00000000`69a10000 mscorwks (deferred)
Image path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Image name: mscorwks.dll
Timestamp: Fri Jul 25 06:58:48 2008 (4889DC18)
CheckSum: 00597CC4
ImageSize: 00590000
File version: 2.0.50727.3053
Product version: 2.0.50727.3053
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® .NET Framework
InternalName: mscorwks.dll
OriginalFilename: mscorwks.dll
ProductVersion: 2.0.50727.3053
FileVersion: 2.0.50727.3053 (netfxsp.050727-3000)
FileDescription: Microsoft .NET Runtime Common Language Runtime - WorkStation
LegalCopyright: © Microsoft Corporation. All rights reserved.
Comments: Flavor=Retail

 

However, try to load sos and it will fail:

0:040> .loadby mscorwks sos
Unable to find module 'sos'

0:040> .load C:\Windows\Microsoft.NET\Framework64\v2.0.50727\sos.dll
0:040> !dumpstack -EE
Failed to load data access DLL, 0x80004005
Verify that 1) you have a recent build of the debugger (6.2.14 or newer)
2) the file mscordacwks.dll that matches your version of mscorwks.dll is
in the version directory
3) or, if you are debugging a dump file, verify that the file
mscordacwks_<arch>_<arch>_<version>.dll is on your symbol path.
4) you are debugging on the same architecture as the dump file.
For example, an IA64 dump file must be debugged on an IA64
machine.

You can also run the debugger command .cordll to control the debugger's
load of mscordacwks.dll. .cordll -ve -u -l will do a verbose reload.
If that succeeds, the SOS command should work on retry.

If you are debugging a minidump, you need to make sure that your executable
path is pointing to mscorwks.dll as well.
0:040> .cordll -ve -u -l
CLRDLL: LoadLibrary(C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll) failed, Win32 error 193
CLRDLL: Unable to find mscordacwks_AMD64_x86_2.0.50727.3053.dll by mscorwks search
CLRDLL: Unable to find 'mscordacwks_AMD64_x86_2.0.50727.3053.dll' on the path
CLRDLL: Unable to get version info for 'c:\syms\mscorwks.dll\4889DC18590000\mscordacwks_AMD64_x86_2.0.50727.3053.dll', Win32 error 0n87
CLRDLL: ERROR: Unable to load DLL mscordacwks_AMD64_x86_2.0.50727.3053.dll, Win32 error 0n87
CLR DLL status: ERROR: Unable to load DLL mscordacwks_AMD64_x86_2.0.50727.3053.dll, Win32 error 0n87

 

Summary: Sos debugger extension will not work in "mixed bitness" debugging scenarios.  

You must debug 32-bit CLR process using 32-bit native debugger in order to get sos to work properly.

Likewise if you are debugging 64-bit CLR process, use 64-bit debugger and 64-bit sos.dll.