How to extract, count, and sort strings pulled from a managed dump file


 


If these steps look familiar, they’re based off a post I wrote a few years back for parsing Exchange transaction logs.  Who knew 1) they’d still be relevant, 2) I’d still resort to such hacky means, and 3) others may actually find value in this …


 


1.       Download the “Unix for Win32” utilities from http://downloads.sourceforge.net/unxutils/UnxUtils.zip?modtime=1172730504&big_mirror=0


 


2.       Extract all files from the UnxUtils\usr\local\wbin subsirectory to C:\Unix


 


3.       Download strings.exe from http://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx, and place strings.exe into C:\Unix


 


4.       Make a C:\TMP directory (The Win32 versions of Unix tools need the Windows equivalent of the /tmp directory on Unix)


 


5.       Download the sosex.dll Windbg extension from http://www.stevestechspot.com/SOSEXV2NowAvailable.aspx; save sosex.dll to your directory where Windbg.exe resides


 


6.       In Windbg, open the .dmp file, ‘!load sosex.dll’, do ‘.logopen managed-strings.log’, then do ‘!sosex.strings’


 


Opened log file ‘c:\drop\customers\internal\managed-strings.log’


0:000> !sosex.strings


Address   Gen  Value


—————————————


7f2290c8   0  


7f229108   0  


7f22911c   0   Filters/IncludeExtensions


7f229160   0   Filters/IncludeExtensions


7f229394   0   true


7f22c778   0  


7f22c7d4   0   true


7f22c7f0   0   Filters/CrawlWebApplication


7f22c838   0   Filters/CrawlWebApplication



 


7.       Once the sosex.dll extension completes, do ‘.logclose’


 


8.       In your filename.log, you’ll see output similar to the following:


 


0:000> !sosex.strings


Address   Gen  Value


—————————————


7f2290c8   0  


7f229108   0  


7f22911c   0   Filters/IncludeExtensions


7f229160   0   Filters/IncludeExtensions


7f229394   0   true


7f22c778   0  


7f22c7d4   0   true


7f22c7f0   0   Filters/CrawlWebApplication


7f22c838   0   Filters/CrawlWebApplication


7f22cd6c   0  


7f230150   0  


7f230190   0  


7f2301a4   0   Filters/ExcludeListTypes


7f2301e8   0   Filters/ExcludeListTypes


7f23041c   0   true


7f233800   0  


7f23385c   0   true


7f233878   0   Filters/IndexItemView


7f2338b4   0   Filters/IndexItemView


7f233d9c   0   logs


7f237180   0  


7f2371dc   0   logs


7f2371f8   0   ConnectorExecution/WorkFolder


7f237244   0   ConnectorExecution/WorkFolder


 


 


9. Open an elevated command prompt, change to your C:\Unix directory, and then issue the following command:


 


strings -q -n 16 C:\path-to-logfile\managed-strings.log | cut -d ” ” -f7 | sort | uniq -c | sort | tee c:\users\your-username\sorted-managed-strings.txt


 


For example:


 


strings -q -n 16 C:\drop\customers\internal\managed-strings.log | cut -d ” ” -f7 | sort | uniq -c | sort | tee c:\users\scottos\sorted-managed-strings.txt 


 


   …


202564    Database/DataSource


202564    Database/InitialCatalog


202564    Database/Password


202564    Database/PersistenceHandlerDB


202564    Database/PurgeAtStart


202564    Database/RetryPeriodWhenDBIsDown


202564    Database/TableNamePrefix


202564    Database/Username


202564    ESPSubmit/Collection


202564    Filters/CrawlWebApplication


202564    id;listtitle;listdescription;listid;listitemcount;modifiedby;createdby;id;name;created


202564    Logging/FileMode


202564    Logging/LogFile


202564    Logging/LogLevel


202564    Logging/LogServer


202564    espconn-1:16100


202564    teamsites


202565    50


202565    5000


202565    548513


202565    AUTOFLUSHFILE


202565    sql08ma1-1.eelab.fastesc.com


202565    FAST_SEARCH_QA


202565    logs


202565    MOSSConnector.log


202565    my_fast_search


202565    prod


202565    SqlServer


202566    5


202566    FAST_Hello_QA


202566    kerberos


202569    TRACE


202572    1


405130    3600


2025650   true


 


 

Comments (0)