Solution for reading Win7 dumps in Win10(WinDBG)

Laith · 01 Oct 2015

Guys and gals, i'm here honored to present to you the solution for reading dumps made by Windows 7 on Windows 10 with the latest SDK. After hours and hours of re-search with no success i decided to experiment myself. I got this crazy idea when i was transferring files from my other computer to this computer. The idea was basically, what happens if you transfer the Windows 7 symbols to Windows 10? I decided to try it out, to my surprise it worked and i was able to analyze Windows 7 dumps without any symbol issues at all.

Here is a little tutorial on how to do it.

1. Download my Windows 7 symbol package from here: http://1drv.ms/1VsdqyK

2. Right-click the symcache.zip folder and download it(obviously)

3. When you have downloaded it and opened it you will see that there's a folder inside called "symcache", extract it to your desired place.

4. Go into WinDBG and go to File -> Symbol File Path

5. Click Browse and navigate to where your symbol folder is(in my case it's symcache located in root)

6. Click OK and go to File -> Save Workspace and you are done.

Another way to do is to download and install the symbols from here: Symbols for Service Pack 1(x64) machines, for Service Pack 1(x86),for RTM(x86) and for RTM(x86).

Now you should be able to read Windows 7 dumps without any problems. Please do note that you can't read Windows 10 dumps using this method. If you do want to read Windows 10 dumps you'll need the Windows 10 symbols. Hope this helped you out, this has been driving me nuts since July, i'm sure many of you aswell are tired of seeing this every single time when analyzing a Windows 7 dump.

We can just hope that MS fixes this problem, which they won't do in some time. Anyways that's it.

//Laith

derekimo · 01 Oct 2015

What is different about your symcache?

Laith · 01 Oct 2015

The symcache i uploaded includes the Windows 7 symbols. Normally if you have Windows 10 and set the symbol file path to download from MS it will begin downloading Windows 10 symbols, which aren't suited for Windows 7 dumps so it will just give alot of errors saying that the symbols aren't the correct symbols etc.

derekimo · 01 Oct 2015

That's not quite how it works.

When you start to debug a crash dump file or an application, the Windows Debugger checks whether the symbol information for a module that it loads is in the local folder. If the symbol information of the module is not located in the local folder, WinDbg tries to download the appropriate symbol file or files from the Symbol Server.

Because it may take time to download symbol files, keep in mind that the debugger may appear to stop responding (hang) the first time that you debug an application. This occurs because most of the symbol files for the system DLLs (such as Ntdll.dll, Kernel32.dll, and others) must be downloaded.

Source

You can download the symbols all the way back to XP from here,

https://msdn.microsoft.com/en-us/win...wnload_windows

Although you shouldn't really need to if your path is set correctly.

That's also why the symcache folder will grow over time.

Laith · 01 Oct 2015

That's good info aswell. I'll put it in the thread too.

Laith · 02 Oct 2015

Thanks Derek!

MrPepka · 23 Mar 2019

I will dig out this topic. Unfortunately, Microsoft no longer allows you to download symbols from your server, and the link (it from OneDrive) does not work. Is there any other way to download Windows 7 symbols?

torchwood · 23 Mar 2019

Hi MrPepka,

Call sent for help
@axe0

Roy

Laith · 23 Mar 2019

I actually had to fiddle with this the other day, here you go. I should mention that using the Microsoft server works just fine, unless the dumps you are analyzing are corrupted, which happened to be the case for me.

MrPepka · 23 Mar 2019

Microsoft's server has symbols only for Windows 10. There are no symbols for Windows 7 (At least that's how it looks in WinDBG 10.0)
Symbols that you have linked are incomplete and are not suitable for analyzing dumps