Creating DebugDiag rule to generate SharePoint process dump based on ULS Tags


SharePoint has a very comprehensive and configurable diagnostic logging infrastructure known as ULS logs. Most of the ULS log entries include a unique tag called eventId . This tag is a 32-bits field containing only letters and numbers (e.g.. e5mc). This tag can help identify which portion of the code emitted the log.

It is also possible to generate a dump file based on a tag file by creating a custom rule in DebugDiag even in environments without access to private symbols. By default the ULS logs are located at “c:\Program Files\Common files\Microsoft Shared\Web Server Extensions\14\LOGS”. The first part of the path (c:\Program Files\Common files\Microsoft Shared\Web Server Extensions\14) is known as 14 hive.

image

Figure 1 – Details of ULS logs showing the ULS Tag

Steps to create a DebugDiag rule to generate dump based on a ULS tag (tested on SharePoint 2010 and DebugDiag 1.2)

  

1. Run DebugDiag 1.2

2. Choose Crash rule and click Next
clip_image002[7]

3. Choose A specific IIS web application pool and click Next
clip_image004[7]

4. Choose the appropriate application pool (SharePoint – ms80 in this sample) and click Next
clip_image006[7]

5. On Advanced Configuration click on Breakpoints…

6. On Configure Breakpoints, click Add Breakpoint…

7. Add this breakpoint: Microsoft_Office_Server_Native!ULSSendFormattedTrace and change action to Full Userdump
clip_image008[7]

8. Click OK

9. Repeat the same steps to add this breakpoint: onetnative!ULSSendFormattedTrace

10. Click OK. If things are correct you should see this:
clip_image010[7]

11. Click Save & Close

12. Change Maximum number of userdumps created by this rule to 1
clip_image012[7]

13. Click Next

14. In Select Dump Location And Rule Name click Next

15. In Rule Completed, choose “Do not activate this rule at this time”
clip_image014[7]

16. Click Finish

17. Run Notepad as Administrator

18. Open file: C:\Program Files\DebugDiag\Scripts\CrashRule_WebAppPool_SharePoint – msw80.vbs (your files should reflect your application pool instead)

19. Locate this code:

Code Snippet
  1. Sub Debugger_OnBreakPoint(ByVal BreakPoint, ByVal CausingThread)
  2.     WriteToLog "Breakpoint id " & Breakpoint.ID & " at " & BreakPoint.OffsetExpression & " caused by " & GetThreadID(CausingThread)
  3.     UpdateDeferredManagedBreakpoints
  4.  
  5.     Select Case BreakPoint.ID
  6.         Case DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ID")
  7.  
  8.             If DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") < 1 Then
  9.  
  10.                 CreateDump Breakpoint.OffsetExpression, false
  11.  
  12.                 DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") = DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") + 1
  13.  
  14.                 If DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") >= 1 Then
  15.  
  16.                     WriteToLog "Action limit of 1 reached for breakpoint Microsoft_Office_Server_Native!ULSSendFormattedTrace."
  17.  
  18.                 End If
  19.  
  20.             End If
  21.  
  22.         Case DbgState("BP_onetnative!ULSSendFormattedTrace_ID")
  23.  
  24.             If DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") < 1 Then
  25.  
  26.                 CreateDump Breakpoint.OffsetExpression, false
  27.  
  28.                 DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") = DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") + 1
  29.  
  30.                 If DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") >= 1 Then
  31.  
  32.                     WriteToLog "Action limit of 1 reached for breakpoint onetnative!ULSSendFormattedTrace."
  33.  
  34.                 End If
  35.  
  36.             End If
  37.  
  38.     End Select
  39.  
  40. End Sub

20. And replace with this one

Code Snippet
  1. Sub Debugger_OnBreakPoint(ByVal BreakPoint, ByVal CausingThread)
  2.     WriteToLog "Breakpoint id " & Breakpoint.ID & " at " & BreakPoint.OffsetExpression & " caused by " & GetThreadID(CausingThread)
  3.  
  4.     UpdateDeferredManagedBreakpoints
  5.     Dim targetTag
  6.     Dim tag
  7.     targetTag = "erv2"
  8.     tag = Debugger.Execute(".printf ""%C%C%C%C"", @ecx/1000000, @ecx/10000, @ecx/100, @ecx")
  9.     if(Len(tag)>4) Then
  10.         tag=Left(tag,4)
  11.     End If
  12.     if(targetTag <> tag) Then
  13.       WriteToLog "Tag " & tag
  14.       Exit Sub
  15.     End If
  16.     Select Case BreakPoint.ID
  17.         Case DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ID")
  18.             If DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") < 1 Then
  19.                 CreateDump Breakpoint.OffsetExpression, false
  20.                 
  21.                 DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") = DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") + 1
  22.                 If DbgState("BP_Microsoft_Office_Server_Native!ULSSendFormattedTrace_ACTION_COUNT") >= 1 Then
  23.                     WriteToLog "Action limit of 1 reached for breakpoint Microsoft_Office_Server_Native!ULSSendFormattedTrace."
  24.                 End If
  25.             End If
  26.         Case DbgState("BP_onetnative!ULSSendFormattedTrace_ID")
  27.             If DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") < 1 Then
  28.                 CreateDump Breakpoint.OffsetExpression, false
  29.                 
  30.                 DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") = DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") + 1
  31.                 If DbgState("BP_onetnative!ULSSendFormattedTrace_ACTION_COUNT") >= 1 Then
  32.                     WriteToLog "Action limit of 1 reached for breakpoint onetnative!ULSSendFormattedTrace."
  33.                 End If
  34.             End If
  35.     End Select
  36. End Sub

21. Save file and exit notepad

clip_image015[7] Tip:

Tag erv2 only happens when SharePoint validates the certificate in federated login. If you want to just test the process,, use a tag that occurs often like 8gp7. Change targetTag value in the code above.

22. In DebugDiag, right-click on the rule and chose Activate Rule
clip_image002[9]

23. Click Yes when you see the warning


Comments (1)

  1. This is an awesome post, Rodney.  Thanks!  I use them frequently.  For the record, these steps also work with DebugDiag 2.0 (http://debugdiag.com).  It is also safe to say that they work for SharePoint 2013 whenever the uls tag is four characters long–but not if it is five characters long?

Skip to main content