Creating DebugDiag rule to generate SharePoint process dump based on ULS Tags
SharePoint has a very comprehensive and configurable diagnostic logging infrastructure known as ULS logs. Most of the ULS log entries include a unique tag called eventId . This tag is a 32-bits field containing only letters and numbers (e.g.. e5mc). This tag can help identify which portion of the code emitted the log.
It is also possible to generate a dump file based on a tag file by creating a custom rule in DebugDiag even in environments without access to private symbols. By default the ULS logs are located at “c:\Program Files\Common files\Microsoft Shared\Web Server Extensions\14\LOGS”. The first part of the path (c:\Program Files\Common files\Microsoft Shared\Web Server Extensions\14) is known as 14 hive.
Figure 1 – Details of ULS logs showing the ULS Tag
Steps to create a DebugDiag rule to generate dump based on a ULS tag (tested on SharePoint 2010 and DebugDiag 1.2)
1. Run DebugDiag 1.2
2. Choose Crash rule and click Next
![clip_image002[7]](https://msdntnarchive.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/05/10/metablogapi/6740.clip_image0027_60FD03C9.jpg "clip_image002[7]")
3. Choose A specific IIS web application pool and click Next
![clip_image004[7]](https://msdntnarchive.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/05/10/metablogapi/0523.clip_image0047_37F4F57E.jpg "clip_image004[7]")
4. Choose the appropriate application pool (SharePoint – ms80 in this sample) and click Next
![clip_image006[7]](https://msdntnarchive.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/05/10/metablogapi/6708.clip_image0067_1E20BF4F.jpg "clip_image006[7]")
5. On Advanced Configuration click on Breakpoints…
6. On Configure Breakpoints, click Add Breakpoint…
7. Add this breakpoint: Microsoft_Office_Server_Native!ULSSendFormattedTrace and change action to Full Userdump
![clip_image008[7]](https://msdntnarchive.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/05/10/metablogapi/8715.clip_image0087_3C01D401.jpg "clip_image008[7]")
8. Click OK
9. Repeat the same steps to add this breakpoint: onetnative!ULSSendFormattedTrace
10. Click OK. If things are correct you should see this:
![clip_image010[7]](https://msdntnarchive.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/05/10/metablogapi/4617.clip_image0107_76E906CA.jpg "clip_image010[7]")
11. Click Save & Close
12. Change Maximum number of userdumps created by this rule to 1
![clip_image012[7]](https://msdntnarchive.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/05/10/metablogapi/1805.clip_image0127_51EB4651.jpg "clip_image012[7]")
13. Click Next
14. In Select Dump Location And Rule Name click Next
15. In Rule Completed, choose “Do not activate this rule at this time”
![clip_image014[7]](https://msdntnarchive.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/05/10/metablogapi/2818.clip_image0147_618DE213.jpg "clip_image014[7]")
16. Click Finish
17. Run Notepad as Administrator
18. Open file: C:\Program Files\DebugDiag\Scripts\CrashRule_WebAppPool_SharePoint - msw80.vbs (your files should reflect your application pool instead)
19. Locate this code:
Code Snippet
- Sub Debugger_OnBreakPoint(ByVal BreakPoint, ByVal CausingThread)
- WriteToLog "Breakpoint id " & Breakpoint.ID & " at " & BreakPoint.OffsetExpression & " caused by " & GetThreadID(CausingThread)
- UpdateDeferredManagedBreakpoints
- Select Case BreakPoint.ID
- Case DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ID")
- If DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") < 1 Then
- CreateDump Breakpoint.OffsetExpression, false
- DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") = DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") + 1
- If DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") >= 1 Then
- WriteToLog "Action limit of 1 reached for breakpoint Microsoft_Office_Server_Native!ULSSendFormattedTrace."
- End If
- End If
- Case DbgState("BP_onetnative!ULSSendFormattedTrace_ID")
- If DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") < 1 Then
- CreateDump Breakpoint.OffsetExpression, false
- DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") = DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") + 1
- If DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") >= 1 Then
- WriteToLog "Action limit of 1 reached for breakpoint onetnative!ULSSendFormattedTrace."
- End If
- End If
- End Select
- End Sub
20. And replace with this one
Code Snippet
- Sub Debugger_OnBreakPoint(ByVal BreakPoint, ByVal CausingThread)
- WriteToLog "Breakpoint id " & Breakpoint.ID & " at " & BreakPoint.OffsetExpression & " caused by " & GetThreadID(CausingThread)
- UpdateDeferredManagedBreakpoints
- Dim targetTag
- Dim tag
- targetTag = "erv2"
- tag = Debugger.Execute(".printf ""%C%C%C%C"", @ecx/1000000, @ecx/10000, @ecx/100, @ecx")
- if(Len(tag)>4) Then
- tag=Left(tag,4)
- End If
- if(targetTag <> tag) Then
- WriteToLog "Tag " & tag
- Exit Sub
- End If
- Select Case BreakPoint.ID
- Case DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ID")
- If DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") < 1 Then
- CreateDump Breakpoint.OffsetExpression, false
- DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") = DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") + 1
- If DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") >= 1 Then
- WriteToLog "Action limit of 1 reached for breakpoint Microsoft_Office_Server_Native!ULSSendFormattedTrace."
- End If
- End If
- Case DbgState("BP_onetnative!ULSSendFormattedTrace_ID")
- If DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") < 1 Then
- CreateDump Breakpoint.OffsetExpression, false
- DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") = DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") + 1
- If DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") >= 1 Then
- WriteToLog "Action limit of 1 reached for breakpoint onetnative!ULSSendFormattedTrace."
- End If
- End If
- End Select
- End Sub
21. Save file and exit notepad
|
Tag erv2 only happens when SharePoint validates the certificate in federated login. If you want to just test the process,, use a tag that occurs often like 8gp7. Change targetTag value in the code above. |
![clip_image015[7]](https://msdntnarchive.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/05/10/metablogapi/2746.clip_image0157_71307DD5.png "clip_image015[7]"){kind=small}
22. In DebugDiag, right-click on the rule and chose Activate Rule
![clip_image002[9]](https://msdntnarchive.blob.core.windows.net/media/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/01/05/10/metablogapi/4011.clip_image0029_2C83E394.jpg "clip_image002[9]")
23. Click Yes when you see the warning